feat: add customized tekton pipeline to build image from tag#255
Conversation
- image should store in quay.io/opendatahub and tagged with the same git tag: vx.y.z matching upstream llm-d-router release - to retrigger build in case build failure, force push tag, on-command wont work in this case without specify tag name Signed-off-by: Wen Zhou <wenzhou@redhat.com>
📝 WalkthroughWalkthroughTwo Tekton Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Supply chain surface (CWE-1357, CWE-494): Both manifests resolve the pipeline from Secret handling: The Service account least-privilege: 🚥 Pre-merge checks | ✅ 10✅ Passed checks (10 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml:
- Around line 36-37: The revision parameter in both PipelineRun files is set to
the mutable `main` branch reference, which poses a supply chain security risk by
executing potentially changed remote pipeline code at runtime. In
`.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml` at lines 36-37, replace the
`revision: main` value with a specific immutable commit SHA or release tag.
Apply the identical change to
`.tekton/odh-llm-d-router-endpoint-picker-tag.yaml` at lines 36-37, ensuring
both files pin their pipelineRef revisions to the same immutable identifier to
maintain consistency and security.
- Line 12: The CEL expression in the
pipelinesascode.tekton.dev/on-cel-expression field uses
startsWith("refs/tags/v") which is too permissive and allows invalid tags that
do not follow semantic versioning (e.g., refs/tags/vfoo, refs/tags/vbar-rc1).
Replace the prefix match with a strict regex pattern that enforces the exact
vx.y.z semantic versioning format. Apply this fix in two files:
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml at line 12 (anchor) and
.tekton/odh-llm-d-router-endpoint-picker-tag.yaml at line 12 (sibling). Both
files require the same CEL expression update to use a regex constraint that
matches only tags following the vx.y.z pattern.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: ba624562-1451-4366-b303-20bb086a470d
📒 Files selected for processing (2)
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml.tekton/odh-llm-d-router-endpoint-picker-tag.yaml
| build.appstudio.redhat.com/target_branch: '{{target_branch}}' | ||
| pipelinesascode.tekton.dev/cancel-in-progress: "false" | ||
| pipelinesascode.tekton.dev/max-keep-runs: "3" | ||
| pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.startsWith("refs/tags/v") |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Pipelines-as-Code CEL examples for matching Git tag pushes and whether target_branch.matches() is supported for strict regex gating.
💡 Result:
In Pipelines-as-Code, you can use CEL (Common Expression Language) expressions in the pipelinesascode.tekton.dev/on-cel-expression annotation for advanced event matching, including Git tag pushes [1][2][3]. For Git tag pushes, the target_branch field holds the reference name (e.g., refs/tags/v1.0) [2][4]. You can use the .matches() method—which supports standard regular expressions—to perform strict gating on these tags [1][5]. Example: Match only specific version tags To trigger a PipelineRun only when a tag matching the pattern v1.* is pushed, use the following CEL expression: metadata: annotations: pipelinesascode.tekton.dev/on-cel-expression: | event == "push" && target_branch.matches("refs/tags/v1..*") Key points regarding CEL and tag matching: - Supported: The target_branch.matches() function is fully supported for regex gating [1][5]. - Precedence: When the on-cel-expression annotation is present, it takes priority, and other matching annotations (like on-target-branch or on-event) are ignored [2][3]. - Context: The target_branch field is available in the CEL evaluation context for both push and pull request events [1][5][3]. - Testing: You can validate your expressions against actual webhook payloads using the CLI command tkn pac cel [5]. For more complex scenarios, you can also access the full webhook payload via the body variable if you need to filter on deeper attributes of the tag push [6][7].
Citations:
- 1: https://pipelinesascode.com/docs/guides/event-matching/cel-expressions/
- 2: https://docs.pipelinesascode.com/v0.38.0/docs/guide/matchingevents/
- 3: https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.21/html/pipelines_as_code/creating-pipeline-runs-pac
- 4: https://pipelinesascode.com/docs/guides/event-matching/
- 5: https://pipelinesascode.com/docs/cli/cel/
- 6: https://pipelinesascode.com/docs/advanced/custom-parameters/
- 7: https://pipelinesascode.com/docs/guides/creating-pipelines/cel-expressions/
🏁 Script executed:
#!/bin/bash
# Locate and inspect both Tekton YAML files
find . -name "*odh-llm-d-router-disagg-sidecar-tag.yaml" -o -name "*odh-llm-d-router-endpoint-picker-tag.yaml" | head -20Repository: opendatahub-io/llm-d-router
Length of output: 174
🏁 Script executed:
# Read the files to confirm the CEL expression on line 12
if [ -f ".tekton/odh-llm-d-router-disagg-sidecar-tag.yaml" ]; then
echo "=== odh-llm-d-router-disagg-sidecar-tag.yaml ==="
sed -n '10,15p' .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml
fi
if [ -f ".tekton/odh-llm-d-router-endpoint-picker-tag.yaml" ]; then
echo "=== odh-llm-d-router-endpoint-picker-tag.yaml ==="
sed -n '10,15p' .tekton/odh-llm-d-router-endpoint-picker-tag.yaml
fiRepository: opendatahub-io/llm-d-router
Length of output: 891
Enforce exact vx.y.z tag policy in CEL, not only prefix match (CWE-20).
startsWith("refs/tags/v") permits non-release tags (e.g., refs/tags/vfoo, refs/tags/vbar-rc1) while the objective requires vx.y.z semantic versioning.
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml#L12: replace with strict regex match..tekton/odh-llm-d-router-endpoint-picker-tag.yaml#L12: apply the same fix.
Suggested CEL hardening
- pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.startsWith("refs/tags/v")
+ pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.matches("^refs/tags/v[0-9]+\\.[0-9]+\\.[0-9]+$")📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.startsWith("refs/tags/v") | |
| pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.matches("^refs/tags/v[0-9]+\\.[0-9]+\\.[0-9]+$") |
📍 Affects 2 files
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml#L12-L12(this comment).tekton/odh-llm-d-router-endpoint-picker-tag.yaml#L12-L12
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml at line 12, The CEL
expression in the pipelinesascode.tekton.dev/on-cel-expression field uses
startsWith("refs/tags/v") which is too permissive and allows invalid tags that
do not follow semantic versioning (e.g., refs/tags/vfoo, refs/tags/vbar-rc1).
Replace the prefix match with a strict regex pattern that enforces the exact
vx.y.z semantic versioning format. Apply this fix in two files:
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml at line 12 (anchor) and
.tekton/odh-llm-d-router-endpoint-picker-tag.yaml at line 12 (sibling). Both
files require the same CEL expression update to use a regex constraint that
matches only tags following the vx.y.z pattern.
| - name: revision | ||
| value: main |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable resolver refs in tag-triggered PipelineRuns
rg -n --glob '.tekton/*-tag.yaml' 'name:\s*revision|value:\s*main' .tektonRepository: opendatahub-io/llm-d-router
Length of output: 502
Pin pipelineRef to an immutable commit/tag, not main (CWE-494).
Using revision: main in tag-triggered PipelineRuns executes mutable remote pipeline code at runtime, exposing the CI/CD supply chain.
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml:37: replacerevision: mainwith a commit SHA or immutable release tag..tekton/odh-llm-d-router-endpoint-picker-tag.yaml:37: apply the same pinning strategy.
Suggested patch pattern
pipelineRef:
resolver: git
params:
- name: url
value: https://github.com/opendatahub-io/odh-konflux-central.git
- name: revision
- value: main
+ value: <immutable-commit-sha-or-immutable-release-tag>
- name: pathInRepo
value: pipeline/multi-arch-container-build.yaml📍 Affects 2 files
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml#L36-L37(this comment).tekton/odh-llm-d-router-endpoint-picker-tag.yaml#L36-L37
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml around lines 36 - 37, The
revision parameter in both PipelineRun files is set to the mutable `main` branch
reference, which poses a supply chain security risk by executing potentially
changed remote pipeline code at runtime. In
`.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml` at lines 36-37, replace the
`revision: main` value with a specific immutable commit SHA or release tag.
Apply the identical change to
`.tekton/odh-llm-d-router-endpoint-picker-tag.yaml` at lines 36-37, ensuring
both files pin their pipelineRef revisions to the same immutable identifier to
maintain consistency and security.
Notes
Summary by CodeRabbit