Skip to content
Draft
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions pipelines/managed/slan-cuan-release/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# slan-cuan-release pipeline

Release pipeline for Lightwell Java artifacts (slan-cuan).
Comment on lines +1 to +3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Added pipelines/.../readme.md 📘 Rule violation ⚙ Maintainability

This PR adds pipelines/managed/slan-cuan-release/README.md, which is disallowed because README
files under pipelines/ are treated as auto-generated and must not be edited directly. Keeping this
change risks future drift from generator output and violates the no-README-edits policy.
Agent Prompt
## Issue description
A `README.md` was added under `pipelines/`, which is not allowed because these READMEs are auto-generated and must not be edited/committed directly.

## Issue Context
Compliance requires avoiding any content changes to `README.md` files under `tasks/` and `pipelines/`. Documentation should be produced via the repository’s README generation workflow rather than being edited in PRs.

## Fix Focus Areas
- pipelines/managed/slan-cuan-release/README.md[1-85]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


This pipeline orchestrates the complete release workflow for Java artifacts built by
PNC (Project Newcastle):

1. **Extract** -- Pull artifacts from PNC container image
2. **Sign** -- Cryptographically sign artifacts using RADAS
3. **Register** -- Upload SBOMs to Trustify for CVE tracking
4. **Publish** -- Push signed artifacts to Pulp for distribution

## Workflow Topology

The pipeline executes tasks in strict sequential order:

```
extract → sign → register → publish
```

Each task waits for its predecessor via `runAfter` dependencies. Data flows through
a shared workspace that persists the artifact directory across all stages.

## Workspaces

The pipeline requires a single shared workspace (`shared-workspace`) for artifact passing
between tasks. All tasks mount this workspace at `/var/workdir`.

Workspace binding options:
- **PersistentVolumeClaim** -- For traditional Konflux pipelines
- **Trusted Artifacts** -- Wrap tasks with use-trusted-artifact/create-trusted-artifact
- **emptyDir** -- For ephemeral single-node execution (testing only)

## Results

The pipeline propagates key results from individual tasks for downstream consumption
and Enterprise Contract policy evaluation:

- `manifest-digest` -- OCI manifest digest of the extracted PNC image
- `deliverable-dir` -- Name of the deliverable directory
- `sbom-urn` -- URN of the SBOM registered in Trustify
- `artifacts-uploaded` -- Number of artifacts uploaded to Pulp
- `artifacts-skipped` -- Number of artifacts skipped during upload
- `published-artifact-outputs` -- JSON object for Tekton Chains SLSA provenance

The `published-artifact-outputs` result contains `uri` and `digest` keys. The
`-ARTIFACT_OUTPUTS` suffix triggers Tekton Chains to generate SLSA provenance
attestations for the published artifacts.

## Required Kubernetes Secrets

Create these Kubernetes Secrets before running the pipeline:

- `registry-auth` (.dockerconfigjson) -- Docker/Podman registry authentication
- `radas-config` (Opaque) -- RADAS configuration JSON in `config.json` key
- `trustify-sso` (Opaque) -- OIDC credentials (`client-id`, `client-secret` keys)
- Custom CA certs (Opaque, optional) -- `ca.crt` key for register/publish tasks

Secret names are configurable via pipeline parameters.

## Parameters

| Name | Description | Optional | Default value |
|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------|
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - |
| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth |
| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false |
| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - |
| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config |
| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@example.com |
| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout> | Yes | repository |
| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan |
| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" |
| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - |
| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/realms/token
| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso |
| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 |
| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |
| pulp-url | Pulp instance base URL. The base URL for the Pulp content management system. Example: https://pulp.example.com | No | - |
| pulp-repository | Pulp Maven distribution name. The name of the target Pulp repository for artifact publishing. Example: lightwell-maven | No | - |
| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |
282 changes: 282 additions & 0 deletions pipelines/managed/slan-cuan-release/slan-cuan-release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,282 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: slan-cuan-release
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/displayName: "slan-cuan: Release Pipeline"
tekton.dev/pipelines.minVersion: "0.50.0"
tekton.dev/platforms: "linux/amd64"
tekton.dev/tags: "release,maven,lightwell"
spec:
description: |
Release pipeline for Lightwell Java artifacts (slan-cuan).

This pipeline orchestrates the complete release workflow for Java artifacts built by
PNC (Project Newcastle).
params:
# Pipeline infrastructure
- name: taskGitUrl
type: string
description: The url to the git repo where the tasks to be used are stored
default: https://github.com/konflux-lightwell/slan-cuan.git
- name: taskGitRevision
type: string
description: The revision in the taskGitUrl repo to be used

# Extract parameters
- name: pnc-image
description: |
PNC container image reference to extract artifacts from.
This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM.
Example: quay.io/pnc-builds/foo@sha256:xyz
type: string
- name: registry-auth-secret
description: |
Kubernetes Secret name for registry authentication (.dockerconfigjson format).
Points to a Docker/Podman auth config for accessing private registries
type: string
default: "registry-auth"
- name: force-extract
description: |
Overwrite existing output directory if it exists.
Without this flag, the extract task refuses to overwrite existing directories
type: string
default: "false"

# Sign parameters
- name: signing-key
description: |
Signing key name for RADAS.
Identifies which signing key to use for cryptographic signatures
type: string
- name: radas-config-secret
description: |
Kubernetes Secret name containing RADAS configuration JSON.
The secret must have a `config.json` key with RADAS API URL and credentials
type: string
default: "radas-config"
- name: requester-id
description: |
Requester identity for signing operations.
Used for audit trails and RADAS access control. Typically an email address
type: string
default: "slan-cuan@org.com"
- name: zip-root-path
description: |
Root of the Maven repository tree inside the ZIP archive submitted to RADAS.
The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout>
type: string
default: "repository"
- name: product-key
description: |
Product key for metadata tagging.
Identifies the product in RADAS records and signing logs
type: string
default: "slan-cuan"
- name: ignore-patterns
description: |
Comma-separated regex patterns to exclude files from signing.
Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs
type: string
default: ""

# Register parameters
- name: trustify-api-url
description: |
Trustify instance API URL.
The base URL for the Trustify (TPA) SBOM ingestion API.
Example: https://trustify.stage.example.com
type: string
- name: sso-token-url
description: |
OIDC token endpoint URL.
The OAuth2/OIDC token endpoint for Trustify authentication.
Example: https://sso.example.com/auth/token
type: string
- name: sso-secret-name
description: |
Kubernetes Secret name with OIDC credentials.
The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow
type: string
default: "trustify-sso"
- name: register-insecure
description: |
Disable TLS verification for Trustify API calls.
Set to "true" to skip certificate validation (not recommended for production)
type: string
default: "false"
- name: register-retries
description: |
Number of retry attempts for Trustify API calls.
The task will retry failed API calls this many times before giving up
type: string
default: "3"
- name: register-ca-cert-secret
description: |
Kubernetes Secret name for custom CA certificate (optional).
The secret must have a `ca.crt` key containing the PEM-encoded CA certificate.
Leave empty to use system CA bundle
type: string
default: ""

# Publish parameters
- name: pulp-url
description: |
Pulp instance base URL.
The base URL for the Pulp content management system.
Example: https://pulp.example.com
type: string
- name: pulp-repository
description: |
Pulp Maven distribution name.
The name of the target Pulp repository for artifact publishing.
Example: lightwell-maven
type: string
- name: publish-insecure
description: |
Disable TLS verification for Pulp API calls.
Set to "true" to skip certificate validation (not recommended for production)
type: string
default: "false"
- name: publish-ca-cert-secret
description: |
Kubernetes Secret name for custom CA certificate (optional).
The secret must have a `ca.crt` key containing the PEM-encoded CA certificate.
Leave empty to use system CA bundle
type: string
default: ""

results:
- name: manifest-digest
description: OCI manifest digest of the extracted image.
value: $(tasks.extract.results.MANIFEST_DIGEST)
- name: deliverable-dir
description: Name of the deliverable directory inside the artifact.
value: $(tasks.extract.results.DELIVERABLE_DIR)
- name: sbom-urn
description: URN of the SBOM registered in Trustify.
value: $(tasks.register.results.SBOM_URN)
- name: artifacts-uploaded
description: Number of artifacts uploaded to Pulp.
value: $(tasks.publish.results.ARTIFACTS_UPLOADED)
- name: artifacts-skipped
description: Number of artifacts skipped during upload.
value: $(tasks.publish.results.ARTIFACTS_SKIPPED)
- name: published-artifact-outputs
description: JSON object for Tekton Chains SLSA provenance.
type: object
value: $(tasks.publish.results.PUBLISHED_ARTIFACT_OUTPUTS)

workspaces:
- name: shared-workspace
description: Shared workspace for artifact processing across tasks.

tasks:
- name: extract
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/managed/slan-cuan-extract/slan-cuan-extract.yaml
params:
- name: IMAGE
value: $(params.pnc-image)
- name: REGISTRY_AUTH_SECRET
value: $(params.registry-auth-secret)
- name: FORCE
value: $(params.force-extract)
workspaces:
- name: workdir
workspace: shared-workspace

- name: sign
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/managed/slan-cuan-sign/slan-cuan-sign.yaml
runAfter:
- extract
params:
- name: REPO_URL
value: $(params.pnc-image)
- name: SIGNING_KEY
value: $(params.signing-key)
- name: RADAS_CONFIG_SECRET
value: $(params.radas-config-secret)
- name: REQUESTER_ID
value: $(params.requester-id)
- name: ZIP_ROOT_PATH
value: $(params.zip-root-path)
- name: PRODUCT_KEY
value: $(params.product-key)
- name: IGNORE_PATTERNS
value: $(params.ignore-patterns)
workspaces:
- name: workdir
workspace: shared-workspace

- name: register
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/managed/slan-cuan-register/slan-cuan-register.yaml
runAfter:
- sign
params:
- name: TRUSTIFY_API_URL
value: $(params.trustify-api-url)
- name: SSO_TOKEN_URL
value: $(params.sso-token-url)
- name: SSO_SECRET_NAME
value: $(params.sso-secret-name)
- name: INSECURE
value: $(params.register-insecure)
- name: RETRIES
value: $(params.register-retries)
- name: CA_CERT_SECRET
value: $(params.register-ca-cert-secret)
workspaces:
- name: workdir
workspace: shared-workspace

- name: publish
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/managed/slan-cuan-publish/slan-cuan-publish.yaml
runAfter:
- register
params:
- name: PULP_URL
value: $(params.pulp-url)
- name: PULP_REPOSITORY
value: $(params.pulp-repository)
- name: INSECURE
value: $(params.publish-insecure)
- name: CA_CERT_SECRET
value: $(params.publish-ca-cert-secret)
workspaces:
- name: workdir
workspace: shared-workspace
Loading