Skip to content

Create the release pipeline for Lightwell Java artifacts#2322

Draft
brunoapimentel wants to merge 10 commits into
konflux-ci:developmentfrom
konflux-lightwell:slan-cuan-pipeline
Draft

Create the release pipeline for Lightwell Java artifacts#2322
brunoapimentel wants to merge 10 commits into
konflux-ci:developmentfrom
konflux-lightwell:slan-cuan-pipeline

Conversation

@brunoapimentel

Copy link
Copy Markdown

Describe your changes

Includes the pipeline definitions to release Java artifacts built on the Lightwell pipeline. Leverages the functionality of Slan-Cuan.

This pipeline will be used in Konflux for the releasing of the Java
artifacts. The necessary tasks, however, will be hosted in the dedicated
Slan-Cuan repository, since they have a tight coupling with the CLI tool
that is also built from this repository.

Assisted-by: Claude Sonnet 4.5
Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
arewm and others added 2 commits June 24, 2026 14:00
…via collect-data

Replace static pipeline params with dynamic extraction from RPA data blob.
Uses collect-data and collect-task-params tasks resolved from catalogGitUrl
to enable Trusted Artifacts handoff between pipeline stages.

Assisted-by: Claude Code (Sonnet 4.6)
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Reviewer Guide 🔍

Warning

/review is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 Security concerns

TLS verification bypass:
The pipeline exposes register-insecure and publish-insecure parameters that disable TLS verification for Trustify/Pulp calls. This can enable MITM attacks if set to "true". Consider enforcing "false" in production contexts (e.g., via policy/Enterprise Contract), adding strong warnings in docs, or constraining these params via admission/pipeline defaults for managed environments.

⚡ Recommended focus areas for review

Defaults

Validate that the default task repository URL/revision are intentional and consistent with the documented source of tasks, and ensure consumers won’t accidentally run against an unexpected catalog/revision.

- name: taskGitUrl
  type: string
  description: The url to the git repo where the tasks to be used are stored
  default: https://github.com/konflux-lightwell/slan-cuan.git
- name: taskGitRevision
  type: string
  description: The revision in the taskGitUrl repo to be used
Type Safety

Several boolean/numeric-like params are modeled as strings; confirm the referenced tasks expect strings (not typed booleans/ints) to avoid subtle comparison/validation issues at runtime.

- name: force-extract
  description: |
    Overwrite existing output directory if it exists.
    Without this flag, the extract task refuses to overwrite existing directories
  type: string
  default: "false"

# Sign parameters
- name: signing-key
  description: |
    Signing key name for RADAS.
    Identifies which signing key to use for cryptographic signatures
  type: string
- name: radas-config-secret
  description: |
    Kubernetes Secret name containing RADAS configuration JSON.
    The secret must have a `config.json` key with RADAS API URL and credentials
  type: string
  default: "radas-config"
- name: requester-id
  description: |
    Requester identity for signing operations.
    Used for audit trails and RADAS access control. Typically an email address
  type: string
  default: "slan-cuan@org.com"
- name: zip-root-path
  description: |
    Root of the Maven repository tree inside the ZIP archive submitted to RADAS.
    The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout>
  type: string
  default: "repository"
- name: product-key
  description: |
    Product key for metadata tagging.
    Identifies the product in RADAS records and signing logs
  type: string
  default: "slan-cuan"
- name: ignore-patterns
  description: |
    Comma-separated regex patterns to exclude files from signing.
    Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs
  type: string
  default: ""

# Register parameters
- name: trustify-api-url
  description: |
    Trustify instance API URL.
    The base URL for the Trustify (TPA) SBOM ingestion API.
    Example: https://trustify.stage.example.com
  type: string
- name: sso-token-url
  description: |
    OIDC token endpoint URL.
    The OAuth2/OIDC token endpoint for Trustify authentication.
    Example: https://sso.example.com/auth/token
  type: string
- name: sso-secret-name
  description: |
    Kubernetes Secret name with OIDC credentials.
    The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow
  type: string
  default: "trustify-sso"
- name: register-insecure
  description: |
    Disable TLS verification for Trustify API calls.
    Set to "true" to skip certificate validation (not recommended for production)
  type: string
  default: "false"
- name: register-retries
  description: |
    Number of retry attempts for Trustify API calls.
    The task will retry failed API calls this many times before giving up
  type: string
  default: "3"
- name: register-ca-cert-secret
  description: |
    Kubernetes Secret name for custom CA certificate (optional).
    The secret must have a `ca.crt` key containing the PEM-encoded CA certificate.
    Leave empty to use system CA bundle
  type: string
  default: ""

# Publish parameters
- name: pulp-url
  description: |
    Pulp instance base URL.
    The base URL for the Pulp content management system.
    Example: https://pulp.example.com
  type: string
- name: pulp-repository
  description: |
    Pulp Maven distribution name.
    The name of the target Pulp repository for artifact publishing.
    Example: lightwell-maven
  type: string
- name: publish-insecure
  description: |
    Disable TLS verification for Pulp API calls.
    Set to "true" to skip certificate validation (not recommended for production)
  type: string
  default: "false"
- name: publish-ca-cert-secret
  description: |
    Kubernetes Secret name for custom CA certificate (optional).
    The secret must have a `ca.crt` key containing the PEM-encoded CA certificate.
    Leave empty to use system CA bundle
  type: string
  default: ""
📚 Focus areas based on broader codebase context

Compatibility

The pipeline spec.params omits the standard Release Service parameters (release, releasePlan, releasePlanAdmission, releaseServiceConfig, snapshot, and typically enterpriseContractPolicy) that existing managed release pipelines accept and pass through to downstream tasks. If this pipeline is intended to be triggered by a Release CR like other managed pipelines, add these params (and wire them into relevant tasks) to keep it compatible with the established execution contract. (Ref 2, Ref 5)

params:
  # Pipeline infrastructure
  - name: taskGitUrl
    type: string
    description: The url to the git repo where the tasks to be used are stored
    default: https://github.com/konflux-lightwell/slan-cuan.git
  - name: taskGitRevision
    type: string
    description: The revision in the taskGitUrl repo to be used

  # Extract parameters
  - name: pnc-image
    description: |
      PNC container image reference to extract artifacts from.
      This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM.
      Example: quay.io/pnc-builds/foo@sha256:xyz
    type: string
  - name: registry-auth-secret
    description: |
      Kubernetes Secret name for registry authentication (.dockerconfigjson format).
      Points to a Docker/Podman auth config for accessing private registries
    type: string
    default: "registry-auth"
  - name: force-extract
    description: |
      Overwrite existing output directory if it exists.
      Without this flag, the extract task refuses to overwrite existing directories
    type: string
    default: "false"

  # Sign parameters
  - name: signing-key
    description: |
      Signing key name for RADAS.
      Identifies which signing key to use for cryptographic signatures
    type: string
  - name: radas-config-secret
    description: |
      Kubernetes Secret name containing RADAS configuration JSON.
      The secret must have a `config.json` key with RADAS API URL and credentials
    type: string
    default: "radas-config"
  - name: requester-id
    description: |
      Requester identity for signing operations.
      Used for audit trails and RADAS access control. Typically an email address
    type: string
    default: "slan-cuan@org.com"
  - name: zip-root-path
    description: |
      Root of the Maven repository tree inside the ZIP archive submitted to RADAS.
      The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout>
    type: string
    default: "repository"
  - name: product-key
    description: |
      Product key for metadata tagging.
      Identifies the product in RADAS records and signing logs
    type: string
    default: "slan-cuan"
  - name: ignore-patterns
    description: |
      Comma-separated regex patterns to exclude files from signing.
      Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs
    type: string
    default: ""

  # Register parameters
  - name: trustify-api-url
    description: |
      Trustify instance API URL.
      The base URL for the Trustify (TPA) SBOM ingestion API.
      Example: https://trustify.stage.example.com
    type: string
  - name: sso-token-url
    description: |
      OIDC token endpoint URL.
      The OAuth2/OIDC token endpoint for Trustify authentication.
      Example: https://sso.example.com/auth/token
    type: string
  - name: sso-secret-name
    description: |
      Kubernetes Secret name with OIDC credentials.
      The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow
    type: string
    default: "trustify-sso"
  - name: register-insecure
    description: |
      Disable TLS verification for Trustify API calls.
      Set to "true" to skip certificate validation (not recommended for production)
    type: string
    default: "false"
  - name: register-retries
    description: |
      Number of retry attempts for Trustify API calls.
      The task will retry failed API calls this many times before giving up
    type: string
    default: "3"
  - name: register-ca-cert-secret
    description: |
      Kubernetes Secret name for custom CA certificate (optional).
      The secret must have a `ca.crt` key containing the PEM-encoded CA certificate.
      Leave empty to use system CA bundle
    type: string
    default: ""

  # Publish parameters
  - name: pulp-url
    description: |
      Pulp instance base URL.
      The base URL for the Pulp content management system.
      Example: https://pulp.example.com
    type: string
  - name: pulp-repository
    description: |
      Pulp Maven distribution name.
      The name of the target Pulp repository for artifact publishing.
      Example: lightwell-maven
    type: string
  - name: publish-insecure
    description: |
      Disable TLS verification for Pulp API calls.
      Set to "true" to skip certificate validation (not recommended for production)
    type: string
    default: "false"
  - name: publish-ca-cert-secret
    description: |
      Kubernetes Secret name for custom CA certificate (optional).
      The secret must have a `ca.crt` key containing the PEM-encoded CA certificate.
      Leave empty to use system CA bundle
    type: string
    default: ""

Reference reasoning: Existing managed release pipelines define a consistent set of Release Service params and propagate them into tasks (including setting a per-run subdirectory using $(context.pipelineRun.uid)). Aligning this pipeline’s params and task wiring to that pattern reduces integration risk with Release CR triggers and downstream tasks that expect those inputs.

📄 References
  1. konflux-ci/release-service-catalog/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml [1-19]
  2. konflux-ci/release-service-catalog/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml [20-39]
  3. konflux-ci/release-service-catalog/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml [277-297]
  4. konflux-ci/release-service-catalog/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml [245-263]
  5. konflux-ci/release-service-catalog/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml [110-132]
  6. konflux-ci/release-service-catalog/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml [212-231]
  7. konflux-ci/release-service-catalog/pipelines/managed/release-to-nrrc/release-to-nrrc.yaml [1-19]
  8. konflux-ci/release-service-catalog/pipelines/managed/release-to-nrrc/release-to-nrrc.yaml [20-39]

@qodo-app-for-konflux-ci

qodo-app-for-konflux-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (1) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 25 rules

Grey Divider


Action required

1. Added pipelines/.../README.md 📘 Rule violation ⚙ Maintainability
Description
This PR adds pipelines/managed/slan-cuan-release/README.md, which is disallowed because README
files under pipelines/ are treated as auto-generated and must not be edited directly. Keeping this
change risks future drift from generator output and violates the no-README-edits policy.
Code

pipelines/managed/slan-cuan-release/README.md[R1-3]

+# slan-cuan-release pipeline
+
+Release pipeline for Lightwell Java artifacts (slan-cuan).
Relevance

⭐⭐⭐ High

Repo policy: pipelines/ README.md are generated; “Do not edit them by hand” in AGENTS.md (PR #2204).

PR-#2204
PR-#1159

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The checklist explicitly forbids adding/modifying any README.md under pipelines/. The diff shows
a new pipelines/managed/slan-cuan-release/README.md file being introduced with full content.

Rule 1260: Do not manually edit auto-generated README files under tasks/ and pipelines/
pipelines/managed/slan-cuan-release/README.md[1-85]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A `README.md` was added under `pipelines/`, which is not allowed because these READMEs are auto-generated and must not be edited/committed directly.

## Issue Context
Compliance requires avoiding any content changes to `README.md` files under `tasks/` and `pipelines/`. Documentation should be produced via the repository’s README generation workflow rather than being edited in PRs.

## Fix Focus Areas
- pipelines/managed/slan-cuan-release/README.md[1-85]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. README defaults mismatch ✓ Resolved 🐞 Bug ⚙ Maintainability
Description
The slan-cuan-release README documents defaults for taskGitUrl and requester-id that differ from
the actual Pipeline defaults, which can cause users to run against the wrong task repository and use
an unintended signing requester identity.
Code

pipelines/managed/slan-cuan-release/README.md[R65-72]

+| taskGitUrl              | The url to the git repo where the release-service-catalog tasks to be used are stored                                                                                                              | Yes      | https://github.com/konflux-ci/release-service-catalog.git |
+| taskGitRevision         | The revision in the taskGitUrl repo to be used                                                                                                                                                     | No       | -                                                         |
+| pnc-image               | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No       | -                                                         |
+| registry-auth-secret    | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries                                              | Yes      | registry-auth                                             |
+| force-extract           | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories                                                                    | Yes      | false                                                     |
+| signing-key             | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures                                                                                               | No       | -                                                         |
+| radas-config-secret     | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials                                                            | Yes      | radas-config                                              |
+| requester-id            | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address                                                                              | Yes      | slan-cuan@example.com                                      |
Relevance

⭐⭐⭐ High

Team commonly keeps README param defaults aligned with YAML via generation/sync work (PR #1159).

PR-#1159

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The README claims defaults pointing to release-service-catalog and a different requester-id email,
but the Pipeline YAML defaults to the slan-cuan repo and a different requester-id value; these are
direct contradictions.

pipelines/managed/slan-cuan-release/README.md[63-73]
pipelines/managed/slan-cuan-release/slan-cuan-release.yaml[21-28]
pipelines/managed/slan-cuan-release/slan-cuan-release.yaml[61-66]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The README parameter table lists default values for `taskGitUrl` and `requester-id` that do not match the Pipeline YAML defaults.

### Issue Context
This pipeline uses a git resolver; a wrong `taskGitUrl` default in docs can cause task resolution failures or running the wrong task set. `requester-id` impacts signing audit identity.

### Fix Focus Areas
- pipelines/managed/slan-cuan-release/README.md[63-75]
- pipelines/managed/slan-cuan-release/slan-cuan-release.yaml[21-24]
- pipelines/managed/slan-cuan-release/slan-cuan-release.yaml[61-66]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

3. Broken markdown table row ✓ Resolved 🐞 Bug ⚙ Maintainability
Description
The sso-token-url row in the README parameters table is missing the Optional/Default columns and
trailing pipes, which breaks Markdown table rendering and obscures configuration details.
Code

pipelines/managed/slan-cuan-release/README.md[R76-78]

+| trustify-api-url        | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com                                                                      | No       | -                                                         |
+| sso-token-url           | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/realms/token
+| sso-secret-name         | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow                                                         | Yes      | trustify-sso                                              |
Relevance

⭐⭐⭐ High

README markdown/table correctness fixes have been accepted before (e.g., README edits in PR #1074).

PR-#1074

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The sso-token-url row ends without the expected | Optional | Default value | columns and
visually runs into the next row, which will render incorrectly in Markdown.

pipelines/managed/slan-cuan-release/README.md[63-79]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The `sso-token-url` entry in the Parameters Markdown table is missing columns and the terminating `|`, breaking table formatting.

### Issue Context
This makes the parameters documentation hard to read and can hide whether the parameter is optional and what its default is.

### Fix Focus Areas
- pipelines/managed/slan-cuan-release/README.md[76-79]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +1 to +3
# slan-cuan-release pipeline

Release pipeline for Lightwell Java artifacts (slan-cuan).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Added pipelines/.../readme.md 📘 Rule violation ⚙ Maintainability

This PR adds pipelines/managed/slan-cuan-release/README.md, which is disallowed because README
files under pipelines/ are treated as auto-generated and must not be edited directly. Keeping this
change risks future drift from generator output and violates the no-README-edits policy.
Agent Prompt
## Issue description
A `README.md` was added under `pipelines/`, which is not allowed because these READMEs are auto-generated and must not be edited/committed directly.

## Issue Context
Compliance requires avoiding any content changes to `README.md` files under `tasks/` and `pipelines/`. Documentation should be produced via the repository’s README generation workflow rather than being edited in PRs.

## Fix Focus Areas
- pipelines/managed/slan-cuan-release/README.md[1-85]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@arewm arewm marked this pull request as draft June 24, 2026 19:36
arewm and others added 4 commits June 24, 2026 17:08
Remove pnc-image, signing-key, trustify-api-url, and sso-token-url as
required pipeline params. pnc-image is now extracted from the snapshot
component image via a second collect-task-params step (collect-snapshot-params).
signing-key and Trustify URLs are extracted from RPA data alongside the
existing Pulp config.

Assisted-by: Claude Code (Sonnet 4.6)
Tasks live at tekton/tasks/slan-cuan-{task}.yaml in konflux-lightwell/slan-cuan,
not tasks/managed/slan-cuan-{task}/slan-cuan-{task}.yaml.

Assisted-by: Claude Code (Sonnet 4.6)
Without a default, the release service cannot create the PipelineRun
since it has no mechanism to pass taskGitRevision. Default to main.

Assisted-by: Claude Code (Sonnet 4.6)
Pass the `RADAS_CONFIG_PATH` as env secret

Signed-off-by: Jonathan Gangi <jgangi@redhat.com>
@JAVGan JAVGan force-pushed the slan-cuan-pipeline branch from bd33004 to 8ecb3b9 Compare June 24, 2026 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants