Skip to content

Commit d3aba35

Browse files
committed
feat(EC-1868): use conforma/tekton-catalog for conforma task
Switch the git resolver from conforma/cli to conforma/tekton-catalog and hard-code the revision SHA instead of using the verify_ec_task_git_revision param, which is defined in a configmap with its own change workflow in another repo. The param is kept for backwards compatibility but its value is now ignored. The motivation for this change is that we want to have a simple and clear atomic roll-out (and roll-back if needed) workflow for Conforma updates. The current system where the reference is in a configmap and gets passed as a param makes that difficult. Also, the current conforma/cli git resolver reference has the disadvantage of not using a pinned version of the Conforma CLI, hence a change merged to main branch Conforma goes live instantly. The conforma/tekton-catalog definition does not have this problem, since the cli image used by the task is pinned there, updates only go live when the git sha ref we're introducing in this PR gets updated. Also in this PR: Add a todo about the one instance of the task (in the calunga-push-to-pulp pipeline) that might need some more careful testing before updating. Since the version of the task it's currently using is almost a year old, there's a chance the params need to be changed. To reduce the risk of breaking something, and because I don't have a good way to test the calunga-push-to-pulp pipeline, I don't want to do it in this PR, so to be cautious I'm leaving it alone and flagging it as a todo for someone else to fix later. Signed-off-by: Simon Baird <sbaird@redhat.com> Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent ab9a39d commit d3aba35

45 files changed

Lines changed: 123 additions & 88 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/lint.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,6 @@ jobs:
213213
github.event.pull_request.head.repo.html_url ||
214214
github.event.merge_group.head_repo.html_url
215215
}}
216-
verify_ec_task_git_revision=main
217216
mobster_tasks_git_revision=main
218217
check-agents-md:
219218
name: Check AGENTS.md line count

pipelines/managed/calunga-push-to-pulp/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ Release Components in a Snapshot to a pulp-backed python index. Each image in a
1515
| enterpriseContractExtraRuleData | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." | Yes | pipeline_intention=release |
1616
| enterpriseContractTimeout | Timeout setting for `ec validate` | Yes | 40m0s |
1717
| verify_ec_task_bundle | The location of the bundle containing the verify-enterprise-contract task | No | - |
18-
| verify_ec_task_git_revision | The git revision to be used when consuming the verify-conforma task | No | - |
18+
| verify_ec_task_git_revision | Previously used for the Conforma task git resolver, now deprecated and ignored | Yes | ignored |
1919
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
2020
| taskGitRevision | The revision in the taskGitUrl repo to be used | Yes | production |
2121
| pulpBaseUrl | The base URL of the Pulp server | Yes | https://packages.redhat.com |

pipelines/managed/calunga-push-to-pulp/calunga-push-to-pulp.yaml

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,8 @@ spec:
4242
description: The location of the bundle containing the verify-enterprise-contract task
4343
- name: verify_ec_task_git_revision
4444
type: string
45-
description: The git revision to be used when consuming the verify-conforma task
45+
description: Previously used for the Conforma task git resolver, now deprecated and ignored
46+
default: ignored
4647
- name: taskGitUrl
4748
type: string
4849
description: The url to the git repo where the release-service-catalog tasks to be used are stored
@@ -182,14 +183,28 @@ spec:
182183
runAfter:
183184
- collect-data
184185

186+
# TODO: This task is using an old git ref from a deprecated location. Migrating to
187+
# the current latest Conforma task might require some param changes, so to avoid
188+
# breaking something I'm leaving it untouched for now. Fix me soon I guess. The git
189+
# sha being referenced is from "Jul 9 08:58:49 2025". It should be updated to the
190+
# git resolver params used in all other pipelines in this repo, currently this:
191+
#
192+
# - name: url
193+
# value: https://github.com/conforma/tekton-catalog
194+
# - name: revision
195+
# value: "515fb114f8cfeb9206ec5ffb90a6f9cf851cc941"
196+
# - name: pathInRepo
197+
# value: "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml"
198+
#
185199
- name: verify-enterprise-contract
186200
taskRef:
187201
resolver: "git"
188202
params:
203+
# TODO: Should be changed to https://github.com/conforma/tekton-catalog
204+
# and the revision should be updated. See longer explanation above.
189205
- name: url
190206
value: https://github.com/enterprise-contract/ec-cli
191207
- name: revision
192-
# TODO: How to keep this up to date?
193208
value: cdfd9188f9352d7269ae1fe8c273a9e67f60ab8a
194209
- name: pathInRepo
195210
value: "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml"

pipelines/managed/e2e/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ affected by RHTAP services or which results could affect the RHTAP workflow.
1515
| enterpriseContractPolicy | JSON representation of the EnterpriseContractPolicy | No | - |
1616
| enterpriseContractExtraRuleData | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." | Yes | pipeline_intention=release |
1717
| verify_ec_task_bundle | The location of the bundle containing the verify-enterprise-contract task | No | - |
18-
| verify_ec_task_git_revision | The git revision to be used when consuming the verify-conforma task | No | - |
18+
| verify_ec_task_git_revision | Previously used for the Conforma task git resolver, now deprecated and ignored | Yes | ignored |
1919
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
2020
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
2121
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | quay.io/konflux-ci/release-service-trusted-artifacts |

pipelines/managed/e2e/e2e.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,8 @@ spec:
4141
description: The location of the bundle containing the verify-enterprise-contract task
4242
- name: verify_ec_task_git_revision
4343
type: string
44-
description: The git revision to be used when consuming the verify-conforma task
44+
description: Previously used for the Conforma task git resolver, now deprecated and ignored
45+
default: ignored
4546
- name: taskGitUrl
4647
type: string
4748
description: The url to the git repo where the release-service-catalog tasks to be used are stored
@@ -104,9 +105,9 @@ spec:
104105
resolver: "git"
105106
params:
106107
- name: url
107-
value: https://github.com/conforma/cli
108+
value: https://github.com/conforma/tekton-catalog
108109
- name: revision
109-
value: "$(params.verify_ec_task_git_revision)"
110+
value: "515fb114f8cfeb9206ec5ffb90a6f9cf851cc941"
110111
- name: pathInRepo
111112
value: "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml"
112113
params:

pipelines/managed/fbc-release/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ Tekton release pipeline to interact with FBC Pipeline
1414
| enterpriseContractPolicy | JSON representation of the EnterpriseContractPolicy | No | - |
1515
| enterpriseContractExtraRuleData | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." | Yes | pipeline_intention=release |
1616
| verify_ec_task_bundle | The location of the bundle containing the verify-enterprise-contract task | No | - |
17-
| verify_ec_task_git_revision | The git revision to be used when consuming the verify-conforma task | No | - |
17+
| verify_ec_task_git_revision | Previously used for the Conforma task git resolver, now deprecated and ignored | Yes | ignored |
1818
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
1919
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
2020
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | quay.io/konflux-ci/release-service-trusted-artifacts |

pipelines/managed/fbc-release/fbc-release.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,8 @@ spec:
4040
description: The location of the bundle containing the verify-enterprise-contract task
4141
- name: verify_ec_task_git_revision
4242
type: string
43-
description: The git revision to be used when consuming the verify-conforma task
43+
description: Previously used for the Conforma task git resolver, now deprecated and ignored
44+
default: ignored
4445
- name: taskGitUrl
4546
type: string
4647
description: The url to the git repo where the release-service-catalog tasks to be used are stored
@@ -233,9 +234,9 @@ spec:
233234
resolver: "git"
234235
params:
235236
- name: url
236-
value: https://github.com/conforma/cli
237+
value: https://github.com/conforma/tekton-catalog
237238
- name: revision
238-
value: "$(params.verify_ec_task_git_revision)"
239+
value: "515fb114f8cfeb9206ec5ffb90a6f9cf851cc941"
239240
- name: pathInRepo
240241
value: "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml"
241242
params:

pipelines/managed/push-artifacts-to-cdn/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ It uses InternalRequests so that it can be run on both public and private cluste
1515
| enterpriseContractPolicy | JSON representation of the EnterpriseContractPolicy | No | - |
1616
| enterpriseContractExtraRuleData | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." | Yes | pipeline_intention=release |
1717
| verify_ec_task_bundle | The location of the bundle containing the verify-enterprise-contract task | No | - |
18-
| verify_ec_task_git_revision | The git revision to be used when consuming the verify-conforma task | No | - |
18+
| verify_ec_task_git_revision | Previously used for the Conforma task git resolver, now deprecated and ignored | Yes | ignored |
1919
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
2020
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
2121
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | quay.io/konflux-ci/release-service-trusted-artifacts |

pipelines/managed/push-artifacts-to-cdn/push-artifacts-to-cdn.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,8 @@ spec:
4141
description: The location of the bundle containing the verify-enterprise-contract task
4242
- name: verify_ec_task_git_revision
4343
type: string
44-
description: The git revision to be used when consuming the verify-conforma task
44+
description: Previously used for the Conforma task git resolver, now deprecated and ignored
45+
default: ignored
4546
- name: taskGitUrl
4647
type: string
4748
description: The url to the git repo where the release-service-catalog tasks to be used are stored
@@ -237,9 +238,9 @@ spec:
237238
resolver: "git"
238239
params:
239240
- name: url
240-
value: https://github.com/conforma/cli
241+
value: https://github.com/conforma/tekton-catalog
241242
- name: revision
242-
value: "$(params.verify_ec_task_git_revision)"
243+
value: "515fb114f8cfeb9206ec5ffb90a6f9cf851cc941"
243244
- name: pathInRepo
244245
value: "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml"
245246
params:

pipelines/managed/push-artifacts-to-storage/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ Tekton pipeline to push rpms into the artifact storage instance.
1515
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
1616
| enterpriseContractPolicy | JSON representation of the EnterpriseContractPolicy | Yes | brew-rhel-sst-prod |
1717
| enterpriseContractExtraRuleData | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." | Yes | pipeline_intention=release |
18-
| verify_ec_task_git_revision | The git revision to be used when consuming the verify-conforma task | No | - |
18+
| verify_ec_task_git_revision | Previously used for the Conforma task git resolver, now deprecated and ignored | Yes | ignored |
1919
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | quay.io/konflux-ci/release-service-trusted-artifacts |
2020
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
2121
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable | Yes | "" |

0 commit comments

Comments
 (0)