Skip to content

feat(ISV-7320): add direct-sign-index-image task#2315

Open
JakubDurkac wants to merge 1 commit into
konflux-ci:developmentfrom
JakubDurkac:ISV-7320
Open

feat(ISV-7320): add direct-sign-index-image task#2315
JakubDurkac wants to merge 1 commit into
konflux-ci:developmentfrom
JakubDurkac:ISV-7320

Conversation

@JakubDurkac

@JakubDurkac JakubDurkac commented Jun 23, 2026

Copy link
Copy Markdown

REFERENCE PR ADDING A SIMILAR TASK (rh-direct-sign-image): #2301

Describe your changes

New Tekton task direct-sign-index-image for signing FBC index images via the container-signing pipeline. The task has similar functionality to old sign-index-image task, but it uses direct container signing instead of Radas/UMB solution. Also, it outsources all the existing core logic from bash to a new python util it invokes - direct_sign_index_image.py, passing all parameters as CLI arguments.

  • Passes signing params (pyxis-server, pipeline, pipeline-image, requester, batch-max-size, etc.) as CLI arguments to Python
  • Pyxis secret mounted at /etc/secrets, paths set via env vars
  • Includes Tekton integration test using Python mock pattern
  • Generated README from task YAML

Assisted-by: Claude Opus 4.6

Relevant Jira

ISV-7320

Checklist before requesting a review

  • I have marked as draft or added do not merge label if there's a dependency PR
    • If you want reviews on your draft PR, you can add reviewers or add the release-service-maintainers handle if you are unsure who to tag
  • My commit message includes Signed-off-by: My name <email>
  • I read CONTRIBUTING.MD and commit formatting
  • I have run the README.md generator script in .github/scripts/readme_generator.sh and verified the results using .github/scripts/check_readme.sh
  • If an AI agent was used, I marked that via a commit footer like Assisted-By: Cursor

@mmalina

mmalina commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

It looks good in general, but not approving yet, until it's final. Also, a note on resources: From what I've seen, in many tasks, the memory had to be increased when switching to python. But maybe in this case it's ok - 1 GB is already a lot, so even if python adds some overhead, it shouldn't be that significant I'd say.

@JakubDurkac

JakubDurkac commented Jun 29, 2026

Copy link
Copy Markdown
Author

The release service util is merged (konflux-ci/release-service-utils#823). Waiting for release-service-utils fix PR of a related task to be merged. I assume we want to reference the image that comes out of it in this task before merging, same as task #2301 that's also waiting for that image.

New Tekton task for signing FBC index images via the container-signing
pipeline. The task has similar functionality to old sign-index-image
task, but it uses direct container signing instead of Radas/UMB
solution. Also, it outsources all the existing core logic from
bash to a new python util it invokes - direct_sign_index_image.py,
passing all parameters as CLI arguments.

- Passes signing params (pyxis-server, pipeline, pipeline-image,
  requester, batch-max-size, etc.) as CLI arguments to Python
- Pyxis secret mounted at /etc/secrets, paths set via env vars
- Includes Tekton integration test using Python mock pattern
- Generated README from task YAML

Assisted-by: Claude Opus 4.6
Signed-off-by: Jakub Durkac <jdurkac@redhat.com>
@JakubDurkac

Copy link
Copy Markdown
Author

The release-service-utils fix PR was merged, the image was updated in the reference task #2301 and I've updated the image here to match it. Should be ready for final review / approval @mmalina. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants