Prod signing#2335
Conversation
This pipeline will be used in Konflux for the releasing of the Java artifacts. The necessary tasks, however, will be hosted in the dedicated Slan-Cuan repository, since they have a tight coupling with the CLI tool that is also built from this repository. Assisted-by: Claude Sonnet 4.5 Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
…via collect-data Replace static pipeline params with dynamic extraction from RPA data blob. Uses collect-data and collect-task-params tasks resolved from catalogGitUrl to enable Trusted Artifacts handoff between pipeline stages. Assisted-by: Claude Code (Sonnet 4.6)
Assisted-by: Claude Code (Sonnet 4.6)
Lightwell pipeline
Slan cuan pipeline
Pass the `RADAS_CONFIG_PATH` as env secret Signed-off-by: Jonathan Gangi <jgangi@redhat.com>
fix: use proper secret for RADAS
Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
Fix path to tekton tasks in the slan-cuan pipeline
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Add Conforma task to slan-cuan pipeline
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Fix env for sign task
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Remove invalid env definition
Remove pnc-image, signing-key, trustify-api-url, and sso-token-url as required pipeline params. pnc-image is now extracted from the snapshot component image via a second collect-task-params step (collect-snapshot-params). signing-key and Trustify URLs are extracted from RPA data alongside the existing Pulp config. Assisted-by: Claude Code (Sonnet 4.6)
slan-cuan-release: Derive all runtime params from snapshot and RPA data
Without a default, the release service cannot create the PipelineRun since it has no mechanism to pass taskGitRevision. Default to main. Assisted-by: Claude Code (Sonnet 4.6)
…or artifact passing Switch slan-cuan domain tasks from shared-workspace to Trusted Artifacts. extract creates a TA of the extracted artifact directory; sign, register, and publish each restore it. This removes the dependency on a shared PVC, which the release service cannot provision. Also pins taskGitUrl to arewm/slan-cuan@509fb97 and removes the shared-workspace pipeline declaration. Assisted-by: Claude Code (Sonnet 4.6)
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Syncing in changes from andrew's fork
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Add missing enterpriseContractTimeout pipeline param
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Use Andrew's fork of slan-cuan tasks
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Use slan-cuan tasks from Andrew's fork
Signed-off-by: Jonathan Gangi <jgangi@redhat.com>
fix: git references to this fork
fix: remove duplicated params
Uploading of the SBOM is out of scope for now Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Remove slan-cuan register task from pipeline
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Disable references to results not populated by task
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
Specify pulp secret name
Signed-off-by: Jonathan Gangi <jgangi@redhat.com>
slan-cuan: pass the secrets for pulp to the task
Signed-off-by: Jonathan Gangi <jgangi@redhat.com>
Signed-off-by: Jonathan Gangi <jgangi@redhat.com>
This reverts commit 9a589d4. Due to a bug in the Python script, reused IIB builds cause missing iibLog result, failing PipelineRuns with CouldntGetPipelineResult. Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
The jira_ci.py script no longer works after the Jira migration. Replace it with a call to a Jira Automation webhook that handles ticket updates (label swaps, comments, transitions) via an automation rule. The parsed tickets payload format has changed to group PRs by ticket, as Jira Automation's smart values cannot correlate individual entries back to the current issue being processed. Requires JIRA_AUTOMATION_WEBHOOK_URL and JIRA_AUTOMATION_WEBHOOK_TOKEN repository secrets. Assisted-by: Cursor Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
The verify-conforma task was running in parallel with sign but not gating it. Add verify-conforma to sign's runAfter list so that the Conforma policy check must pass before signing begins. Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
fix: make verify-conforma block sign task
This reverts commit 867589f.
…s-sign Revert: make verify-conforma block sign task
PR Reviewer Guide 🔍Warning
Here are some key observations to aid the review process:
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
25 rules 1. Result written with echo
|
| SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) | ||
| yq -i '.spec.steps[0].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[0].script' "$TASK_PATH" | ||
| yq -i '.spec.steps[1].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[1].script' "$TASK_PATH" |
There was a problem hiding this comment.
4. Unquoted script_dir substitution 📘 Rule violation ≡ Correctness
SCRIPT_DIR=$(...) is not quoted and $SCRIPT_DIR is expanded without brace syntax when building the yq expression. This can break on whitespace/special characters and violates the quoting/brace requirements.
Agent Prompt
## Issue description
The added `SCRIPT_DIR` assignment is unquoted and later expanded without `${...}` braces.
## Issue Context
Checklist requires quoting variables/command substitutions and using brace syntax for variable expansion.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/tests/pre-apply-task-hook.sh[23-25]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| #!/usr/bin/env bash | ||
| set -x | ||
|
|
||
| echo "CLAUDE_DEBUGGING: mocks.sh file loaded successfully with fix attempt $(date)" >&2 |
There was a problem hiding this comment.
5. mocks.sh missing strict flags 📘 Rule violation ☼ Reliability
The new standalone script mocks.sh enables xtrace (set -x) but does not enable strict error handling (set -euo pipefail). This can hide failures and make test behavior non-deterministic.
Agent Prompt
## Issue description
New standalone bash script lacks strict error handling flags.
## Issue Context
Checklist requires `set -euo pipefail` near the top of standalone scripts.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/tests/mocks.sh[1-4]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| script: | | ||
| #!/usr/bin/env bash | ||
|
|
||
| IIB_SERVICE_URL="$(cat /mnt/iib-services-config/url)" | ||
| KRB5_CONF_CONTENT="$(cat /mnt/iib-services-config/krb5.conf)" | ||
|
|
There was a problem hiding this comment.
6. Tekton scripts missing pipefail 📘 Rule violation ☼ Reliability
Tekton step scripts in update-fbc-catalog-task were added/updated without set -eo pipefail (or stronger like set -euo pipefail) as the first executable line, which reduces safety by allowing steps to continue after failures. As a result, failures in commands like base64/kinit/skopeo/date/jq can be ignored and the task may proceed with invalid state or incorrect build reuse decisions.
Agent Prompt
## Issue description
Tekton `script:` blocks in `update-fbc-catalog-task` do not enable fail-fast behavior (`set -eo pipefail` or stronger like `set -euo pipefail`) as the first executable line, which can allow the task to continue after failures and produce incorrect results (e.g., invalid state or incorrect build reuse decisions).
## Issue Context
A checklist/rule (Rule 1268) requires that the first non-comment, non-empty line in Tekton shell scripts include `set -eo pipefail` (or stronger). The affected step scripts currently start executing commands (and/or `set -x`) before enabling `-e`/`pipefail`, even though other tasks in this repo commonly start scripts with `set -euo pipefail` to ensure command failures fail the TaskRun. These scripts rely on commands such as `base64`, `kinit`, `skopeo`, `date`, and `jq`, so missing fail-fast can let authentication/inspection/conversion failures be ignored.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[120-334]
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[436-549]
- tasks/internal/update-fbc-catalog-task/tests/test-update-fbc-catalog-error.yaml[59-62]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| KRB5_TEMP_CONF=$(mktemp) | ||
| KRB5_PRINCIPAL=$(cat /mnt/service-account-secret/principal) |
There was a problem hiding this comment.
7. mktemp not cleaned up 📘 Rule violation ☼ Reliability
The Tekton task script creates a temp file via mktemp but does not register an EXIT trap to remove it. This can leak temporary files into the workspace/container filesystem and complicate debugging and reuse.
Agent Prompt
## Issue description
`mktemp` is used without an EXIT trap cleanup.
## Issue Context
Checklist requires mktemp-created temp paths to be removed via a `trap ... EXIT` handler.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[319-327]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| iib_response=$(curl -u : --negotiate -s -X POST \ | ||
| -H "Content-Type: application/json" -d@"${json_input}" --insecure \ | ||
| "${IIB_SERVICE_URL}/builds/fbc-operations") |
There was a problem hiding this comment.
8. Iib curl missing retries 📘 Rule violation ☼ Reliability
The Tekton task uses operational curl calls to IIB without --retry 3 and without --fail-with-body. This increases flakiness on transient failures and can mask HTTP errors as successful execution.
Agent Prompt
## Issue description
Operational `curl` calls in the task lack required robustness flags (`--retry 3` and `--fail-with-body`).
## Issue Context
Checklist requires retry handling and fail-with-body for curl commands expected to succeed.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[146-153]
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[411-413]
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[459-463]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| cat > "$json_raw_input" <<JSON | ||
| { | ||
| "fbc_fragments": ${sorted_fbc_fragments}, | ||
| "from_index": "${FROM_INDEX}", | ||
| "build_tags": $(params.buildTags), | ||
| "add_arches": $(params.addArches), | ||
| "overwrite_from_index": ${mustOverwriteFromIndexImage}, | ||
| "overwrite_from_index_token": "${IIB_OVERWRITE_FROM_INDEX_USERNAME}:${IIB_OVERWRITE_FROM_INDEX_TOKEN}" | ||
| } | ||
| JSON |
There was a problem hiding this comment.
9. Json built via heredoc 📘 Rule violation ≡ Correctness
The task constructs a JSON payload using a heredoc with shell interpolation rather than building JSON via jq arguments (--arg/--argjson). This can lead to invalid JSON or injection bugs if any interpolated values contain quotes or special characters.
Agent Prompt
## Issue description
JSON request payload is built via a heredoc with interpolated shell variables.
## Issue Context
Checklist requires constructing JSON with `jq -n` and `--arg/--argjson` instead of string concatenation/interpolation.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[392-401]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| # Validate that required environment variables are set | ||
| if [ -z "${FBC_FRAGMENTS:-}" ]; then | ||
| echo "Error: FBC_FRAGMENTS environment variable is required" | ||
| exit 1 | ||
| fi | ||
| if [ -z "${FROM_INDEX:-}" ]; then | ||
| echo "Error: FROM_INDEX environment variable is required" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # validate fbcFragments parameter is valid JSON array | ||
| if ! echo "${FBC_FRAGMENTS}" | jq -e . >/dev/null 2>&1; then | ||
| echo "Error: fbcFragments parameter must be a valid JSON array" | ||
| jq -n '{ "state": "failed", "state_reason": "Invalid fbcFragments parameter" }' \ | ||
| | tee "$(results.buildState.path)" | ||
| echo -n 1 > "$(results.exitCode.path)" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
10. Tekton script exits non-zero 📘 Rule violation ≡ Correctness
The Tekton task scripts use exit 1/propagate non-zero exit codes for business logic and failures. This violates the requirement to always exit 0 and instead communicate status via Tekton results.
Agent Prompt
## Issue description
Task scripts exit non-zero (`exit 1`) instead of always exiting 0 and using Tekton results to signal failure.
## Issue Context
Checklist requires writing status to `$(results.*.path)` and ending the script with `exit 0` regardless of logical success/failure.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[335-360]
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[572-589]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| url="$(jq -r ".logs.url" <<< "${build_info}")" | ||
| echo IIB log url is: "${url}" > "$(results.iibLog.path)" |
There was a problem hiding this comment.
11. Result written with echo 📘 Rule violation ≡ Correctness
The task writes the iibLog Tekton result using echo without -n, which appends a trailing newline into the result value. This can cause downstream parsing/validation issues when consumers expect an exact URL string.
Agent Prompt
## Issue description
A Tekton result file is written using `echo` without `-n`, introducing a trailing newline.
## Issue Context
Checklist requires `echo -n` (or `printf %s`) when writing Tekton results.
## Fix Focus Areas
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[495-496]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| if [ ${BUILDEXIT} -eq 0 ]; then | ||
| echo -n 0 > "$(results.exitCode.path)" | ||
|
|
||
| # get the manifest digests | ||
| indexImageCopy=$(base64 -d < "$(results.jsonBuildInfo.path)" | gunzip | \ | ||
| jq -cr .internal_index_image_copy) | ||
| # Use this to obtain the manifest digests for each arch in manifest list | ||
| indexImageDigestsRaw=$(skopeo inspect --retry-times 3 --raw "docker://${indexImageCopy}") | ||
| # according the IIB team, | ||
| # "all index images will always be multi-arch with a manifest list" | ||
| # | ||
| indexImageDigests=$(echo "${indexImageDigestsRaw}" | \ | ||
| jq -r \ | ||
| '.manifests[]? | select(.mediaType=="application/vnd.docker.distribution.manifest.v2+json") | .digest' \ | ||
| | tr '\n' ' ' | sed 's/ $//') # make sure the result is on one line and remove trailing space | ||
| echo -n "${indexImageDigests}" > "$(results.indexImageDigests.path)" | ||
| if [ -z "${indexImageDigests}" ] ; then | ||
| echo "Index image produced is not multi-arch with a manifest list" | ||
| echo -n 1 > "$(results.exitCode.path)" | ||
| fi | ||
| else | ||
| if [ ${BUILDEXIT} -eq 124 ]; then | ||
| echo "Timeout while waiting for the build to finish" | ||
| jq -n '{ "state": "failed", "state_reason": "Build timeout" }' | tee "$(results.buildState.path)" | ||
| else | ||
| echo "Build failed with exit code ${BUILDEXIT}" | ||
| jq -n --arg exit_code "$BUILDEXIT" \ | ||
| '{ "state": "failed", "state_reason": ("Build failed with exit code " + $exit_code) }' \ | ||
| | tee "$(results.buildState.path)" | ||
| fi | ||
| echo -n "" > "$(results.indexImageDigests.path)" | ||
| echo -n "$BUILDEXIT" > "$(results.exitCode.path)" | ||
| fi | ||
| # We don't put the log in a result because tekton results are too limited for what we can put | ||
| # to be useful, but still print it for debugging | ||
| curl -s "$(awk '{print $NF}' < "$(results.iibLog.path)")" | ||
|
|
||
| exit "${BUILDEXIT}" |
There was a problem hiding this comment.
12. Empty digests still succeed 🐞 Bug ≡ Correctness
In update-fbc-catalog-task’s wait step, when indexImageDigests is empty it writes exitCode=1 to results but still exits with 0 (BUILDEXIT), so Tekton reports the TaskRun as successful while emitting failure-like results.
Agent Prompt
### Issue description
The wait step detects an empty `indexImageDigests` result, but only updates `$(results.exitCode.path)` and does not fail the step process (it still `exit "${BUILDEXIT}"` where `BUILDEXIT` is 0). This creates an inconsistent state: TaskRun success with error results.
### Issue Context
Downstream logic (e.g., add-fbc-contribution) consumes `indexImageDigests` to populate result payloads. If digests are missing, the task should fail consistently (non-zero exit + failed buildState), not succeed.
### Fix Focus Areas
- When `indexImageDigests` is empty:
- write a failed `buildState` (or at least keep consistency with exitCode)
- set a non-zero exit status (e.g., set `BUILDEXIT=1` and/or `exit 1` immediately)
- ensure `$(results.indexImageDigests.path)` is set appropriately (likely empty) and the TaskRun fails.
#### Code locations
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[552-571]
- tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml[589-589]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
No description provided.