Skip to content

feat(RELEASE-2352): added keyless params to verify-conforma task (2/2)#2109

Open
midnightercz wants to merge 1 commit into
developmentfrom
RELEASE-2352-3
Open

feat(RELEASE-2352): added keyless params to verify-conforma task (2/2)#2109
midnightercz wants to merge 1 commit into
developmentfrom
RELEASE-2352-3

Conversation

@midnightercz

@midnightercz midnightercz commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

Describe your changes

Added parameters needed for verification of keyless signed containers to verify-conforma. This is the second part of the feature which add the params to rest of the pipelines using verify-conforma

Relevant Jira

Checklist before requesting a review

  • I have marked as draft or added do not merge label if there's a dependency PR
    • If you want reviews on your draft PR, you can add reviewers or add the release-service-maintainers handle if you are unsure who to tag
  • My commit message includes Signed-off-by: My name <email>
  • I read CONTRIBUTING.MD and commit formatting
  • I have run the README.md generator script in .github/scripts/readme_generator.sh and verified the results using .github/scripts/check_readme.sh

@snyk-io

snyk-io Bot commented Mar 31, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@midnightercz midnightercz changed the base branch from development to RELEASE-2198-collect-signing-params March 31, 2026 12:45
@midnightercz midnightercz force-pushed the RELEASE-2352-3 branch 2 times, most recently from db6fab5 to e0b8846 Compare March 31, 2026 13:22
@gbenhaim

Copy link
Copy Markdown
Member

@midnightercz can we start by making this change only to the push-to-external-registry pipeline in order to reduce the blast radius in case of a bug?

@midnightercz midnightercz changed the base branch from RELEASE-2198-collect-signing-params to RELEASE-2352-fixed-rh-rpm-advisories March 31, 2026 14:03
@midnightercz midnightercz changed the title feat(RELEASE-2352): added keyless attribtues to verify-comforma task feat(RELEASE-2352): added keyless params to verify-comforma task Mar 31, 2026
@midnightercz

Copy link
Copy Markdown
Contributor Author

@midnightercz can we start by making this change only to the push-to-external-registry pipeline in order to reduce the blast radius in case of a bug?

Yeah, ok.

@midnightercz midnightercz changed the title feat(RELEASE-2352): added keyless params to verify-comforma task feat(RELEASE-2352): added keyless params to verify-comforma task (2/2) Mar 31, 2026
@happybhati

Copy link
Copy Markdown
Contributor

Tiny nit: collect-singing-params in pipelines/managed/e2e/e2e.yaml runAfter — should be collect-signing-params.

@happybhati

Copy link
Copy Markdown
Contributor

Tiny nit: collect-singing-params in pipelines/managed/e2e/e2e.yaml runAfter — should be collect-signing-params.

Already fixed NVM, Thanks

@midnightercz midnightercz force-pushed the RELEASE-2352-fixed-rh-rpm-advisories branch from d9df61d to 83d80a8 Compare April 1, 2026 06:57
@midnightercz

Copy link
Copy Markdown
Contributor Author

blocked by #2119

Comment thread pipelines/managed/release-to-nrrc/release-to-nrrc.yaml
@midnightercz

Copy link
Copy Markdown
Contributor Author

/retest

@qodo-code-review

qodo-code-review Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

PR Reviewer Guide 🔍

(Review updated until commit 785bfad)

Warning

/review is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Dependency Bug

The verify-conforma task is now consuming results from collect-signing-params, but its runAfter list does not include collect-signing-params. This can lead to nondeterministic failures if Tekton schedules verify-conforma before collect-signing-params completes.

    - name: EXTRA_RULE_DATA
      value: $(params.enterpriseContractExtraRuleData)
    - name: WORKERS
      value: "$(tasks.collect-task-params.results.extractedValues[0])"
    - name: SOURCE_DATA_ARTIFACT
      value: "$(tasks.collect-data.results.sourceDataArtifact)"
    - name: TRUSTED_ARTIFACTS_DEBUG
      value: "$(params.trustedArtifactsDebug)"
    - name: CERTIFICATE_IDENTITY
      value: "$(tasks.collect-signing-params.results.tektonChainsIdentity)"
    - name: CERTIFICATE_OIDC_ISSUER
      value: "$(tasks.collect-signing-params.results.defaultOIDCIssuer)"
    - name: TUF_MIRROR
      value: "$(tasks.collect-signing-params.results.tufUrl)"
    - name: REKOR_HOST
      value: "$(tasks.collect-signing-params.results.rekorUrl)"
  runAfter:
    - validate-single-component
    - collect-task-params
- name: extract-checksums-from-image
Missing Task

verify-conforma was updated to use results from collect-signing-params and to depend on it, but this diff does not show the collect-signing-params task being added to the pipeline. Confirm the task exists in this pipeline (and produces the expected result names) or add it to avoid a pipeline validation/runtime error.

  - name: CERTIFICATE_IDENTITY
    value: "$(tasks.collect-signing-params.results.tektonChainsIdentity)"
  - name: CERTIFICATE_OIDC_ISSUER
    value: "$(tasks.collect-signing-params.results.defaultOIDCIssuer)"
  - name: TUF_MIRROR
    value: "$(tasks.collect-signing-params.results.tufUrl)"
  - name: REKOR_HOST
    value: "$(tasks.collect-signing-params.results.rekorUrl)"
runAfter:
  - collect-signing-params
  - filter-already-released-advisory-images
Ordering Risk

The new collect-signing-params task is placed after verify-access-to-resources, but it only declares runAfter: collect-data. If verify-access-to-resources is required before running tasks that resolve/consume cluster or external endpoints, consider also depending on verify-access-to-resources (or placing the task accordingly) to prevent running it too early in the DAG.

- name: collect-signing-params
  taskRef:
    resolver: "git"
    params:
      - name: url
        value: $(params.taskGitUrl)
      - name: revision
        value: $(params.taskGitRevision)
      - name: pathInRepo
        value: tasks/managed/collect-signing-params/collect-signing-params.yaml
  runAfter:
    - collect-data
- name: collect-task-params
📄 References
  1. No matching references available

Comment thread integration-tests/scripts/copy-branch-to-repo-git.sh
Comment thread integration-tests/scripts/skopeo-verify-image.sh
Comment thread tasks/managed/rh-sign-python-wheels/rh-sign-python-wheels.yaml
Comment thread tasks/managed/apply-mapping/apply-mapping.yaml
Comment thread tasks/managed/collect-tpa-params/collect-tpa-params.yaml
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/release-to-github/release-to-github.yaml
Comment thread pipelines/managed/rh-advisories/rh-advisories.yaml
@seanconroy2021

Copy link
Copy Markdown
Member

It LGTM other then my open comment #2109 (comment)

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/release-to-github/release-to-github.yaml
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/rh-advisories/rh-advisories.yaml
Comment thread pipelines/managed/release-to-github/release-to-github.yaml
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/rh-advisories/rh-advisories.yaml
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/release-to-github/release-to-github.yaml
Comment thread pipelines/managed/calunga-push-to-pulp/calunga-push-to-pulp.yaml Outdated
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/release-to-github/release-to-github.yaml
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/release-to-github/release-to-github.yaml
Comment thread pipelines/managed/rh-advisories/rh-advisories.yaml
Comment thread pipelines/managed/calunga-push-to-pulp/calunga-push-to-pulp.yaml
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

No code suggestions found for the PR.

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/rh-advisories/rh-advisories.yaml
Comment thread pipelines/managed/e2e/e2e.yaml
seanconroy2021
seanconroy2021 previously approved these changes Jun 2, 2026
Added parameters needed for verification of keyless signed containers
to verify-conforma. This is the second part of the feature which
add the params to rest of the pipelines using verify-conforma

Signed-off-by: Jindrich Luza <jluza@redhat.com>
Co-authored-by: qodo-code-review[bot]
<151058649+qodo-code-review[bot]@users.noreply.github.com>
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (1) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 25 rules

Grey Divider


Remediation recommended

1. Missing runAfter ordering 🐞 Bug ☼ Reliability
Description
In release-to-github, verify-conforma consumes collect-signing-params task results but does not
include collect-signing-params in its runAfter list, unlike other pipelines. This creates ordering
ambiguity and can break on setups that rely on explicit runAfter edges for correct TaskRun
parameter/result resolution.
Code

pipelines/managed/release-to-github/release-to-github.yaml[R265-272]

+        - name: CERTIFICATE_IDENTITY
+          value: "$(tasks.collect-signing-params.results.tektonChainsIdentity)"
+        - name: CERTIFICATE_OIDC_ISSUER
+          value: "$(tasks.collect-signing-params.results.defaultOIDCIssuer)"
+        - name: TUF_MIRROR
+          value: "$(tasks.collect-signing-params.results.tufUrl)"
+        - name: REKOR_HOST
+          value: "$(tasks.collect-signing-params.results.rekorUrl)"
Relevance

⭐⭐⭐ High

They merge explicit runAfter fixes to avoid races/ordering issues (PR #2202) and to make
dependencies explicit (PR #1148).

PR-#2202
PR-#1148

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
release-to-github's verify-conforma references collect-signing-params results, but its runAfter only
lists validate-single-component and collect-task-params. In contrast, a comparable pipeline
(push-to-external-registry) both references collect-signing-params results and explicitly includes
collect-signing-params in runAfter, indicating the intended ordering pattern in this repo.

pipelines/managed/release-to-github/release-to-github.yaml[130-141]
pipelines/managed/release-to-github/release-to-github.yaml[234-276]
pipelines/managed/push-to-external-registry/push-to-external-registry.yaml[331-353]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`pipelines/managed/release-to-github/release-to-github.yaml` adds new `verify-conforma` params that reference `$(tasks.collect-signing-params.results.*)` but does not add `collect-signing-params` to the `verify-conforma.runAfter` list.

Other pipelines in this repo explicitly include `collect-signing-params` in `runAfter` when consuming its results; this one should match to avoid scheduling/ordering ambiguity.

## Issue Context
- `collect-signing-params` is a separate task that runs after `collect-data`.
- `verify-conforma` consumes `collect-signing-params` results (CERTIFICATE_* / TUF_MIRROR / REKOR_HOST).

## Fix Focus Areas
- pipelines/managed/release-to-github/release-to-github.yaml[234-276]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

2. Edited calunga-push-to-pulp README 📘 Rule violation ⚙ Maintainability
Description
The PR modifies pipelines/managed/calunga-push-to-pulp/README.md, which is an auto-generated
README under pipelines/. This violates the rule that forbids any edits to README files in tasks/
and pipelines/.
Code

pipelines/managed/calunga-push-to-pulp/README.md[16]

-| enterpriseContractTimeout       | Timeout setting for `ec validate`                                                                                                  | Yes      | 40m0s                                                     |
Relevance

⭐ Low

Repo updates pipelines/*/README.md in bulk; “no README edits” not consistently enforced (PRs #1159,
#1100).

PR-#1159
PR-#1100

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
PR Compliance ID 1260 forbids any modifications to README.md files under pipelines/. The changed
file is pipelines/managed/calunga-push-to-pulp/README.md (a README under pipelines/), and the
diff shows it was modified by removing the enterpriseContractTimeout row.

Rule 1260: Do not manually edit auto-generated README files under tasks/ and pipelines/
pipelines/managed/calunga-push-to-pulp/README.md[13-19]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
This PR edits an auto-generated `README.md` under `pipelines/`, which is disallowed.

## Issue Context
Compliance requires that `README.md` files under `tasks/` and `pipelines/` are not edited in PRs.

## Fix Focus Areas
- pipelines/managed/calunga-push-to-pulp/README.md[13-19]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants