Skip to content

feat: add customized tekton pipeline to build image from tag#255

Merged
zdtsw merged 1 commit into
opendatahub-io:mainfrom
zdtsw-forking:chore_odh_build_image
Jun 18, 2026
Merged

feat: add customized tekton pipeline to build image from tag#255
zdtsw merged 1 commit into
opendatahub-io:mainfrom
zdtsw-forking:chore_odh_build_image

Conversation

@zdtsw

@zdtsw zdtsw commented Jun 15, 2026

Copy link
Copy Markdown
Member

Notes

  • image should store in quay.io/opendatahub and tagged with the same git tag: vx.y.z matching upstream llm-d-router release
  • to retrigger build in case build failure, force push tag, on-command wont work in this case without specify tag name

Summary by CodeRabbit

  • Chores
    • Added automated build pipeline configurations to enable container image builds and publishing triggered on version tag releases, improving internal build automation infrastructure.

- image should store in quay.io/opendatahub and tagged with the same git
  tag: vx.y.z matching upstream llm-d-router release
- to retrigger build in case build failure, force push tag, on-command
  wont work in this case without specify tag name

Signed-off-by: Wen Zhou <wenzhou@redhat.com>
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Two Tekton PipelineRun manifests are added to .tekton/: one for the disagg-sidecar component (odh-llm-d-router-disagg-sidecar-on-tag) and one for the endpoint-picker component (odh-llm-d-router-endpoint-picker-on-tag). Both trigger on tag pushes via a Pipelines-as-Code CEL expression, resolve the shared pipeline/multi-arch-container-build.yaml from odh-konflux-central at main via a git resolver, supply component-specific Dockerfiles (Dockerfile.sidecar.konflux and Dockerfile.epp.konflux), and mount a git-auth secret workspace. Each targets namespace open-data-hub-tenant with a dedicated service account.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes


Supply chain surface (CWE-1357, CWE-494): Both manifests resolve the pipeline from odh-konflux-central pinned to branch main — not a commit SHA. A compromised or force-pushed main in that external repository would silently alter what runs against your tagged releases. Pin revision to a specific commit SHA.

Secret handling: The git-auth workspace pulls from a named Kubernetes Secret. Confirm that secret is scoped to the minimum necessary permissions and rotated per your org policy. Unscoped git credentials in CI/CD are a common lateral-movement vector (CWE-250).

Service account least-privilege: build-pipeline-odh-llm-d-router-disagg-sidecar-ci and the endpoint-picker equivalent should bind only the RBAC required for the build namespace. Verify no cluster-wide roles are attached.

🚥 Pre-merge checks | ✅ 10
✅ Passed checks (10 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding customized Tekton pipelines for building container images triggered by git tags, which is the primary purpose of both added manifest files.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Contribution Quality And Spam Detection ✅ Passed Wen Zhou is established contributor (51 commits) adding legitimate infrastructure code. Files are nearly identical (expected for parallel components), not auto-generated spam. Security issues are r...
No Hardcoded Secrets ✅ Passed No hardcoded secrets, API keys, tokens, or credentials found. All secret references use Tekton template variables ({{...}}) for runtime substitution; all URLs are public.
No Weak Cryptography ✅ Passed No banned cryptographic primitives, custom crypto implementations, or non-constant-time secret comparisons found. Both files are pure YAML pipeline configurations with no executable cryptographic c...
No Injection Vectors ✅ Passed No injection vectors detected. Files contain only Tekton YAML manifests with template variable substitution handled by the controller framework; no SQL/shell/eval/unsafe deserialization/XSS pattern...
No Privileged Containers ✅ Passed No privileged container settings found. Tekton PipelineRun manifests contain no privileged configurations. Dockerfiles use non-root user (65532:65532) in runtime stages; USER root appears only in b...
No Sensitive Data In Logs ✅ Passed No logging statements found in added Tekton manifests. Secrets properly mounted as workspaces with template variables, not exposed in logs or parameters.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml:
- Around line 36-37: The revision parameter in both PipelineRun files is set to
the mutable `main` branch reference, which poses a supply chain security risk by
executing potentially changed remote pipeline code at runtime. In
`.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml` at lines 36-37, replace the
`revision: main` value with a specific immutable commit SHA or release tag.
Apply the identical change to
`.tekton/odh-llm-d-router-endpoint-picker-tag.yaml` at lines 36-37, ensuring
both files pin their pipelineRef revisions to the same immutable identifier to
maintain consistency and security.
- Line 12: The CEL expression in the
pipelinesascode.tekton.dev/on-cel-expression field uses
startsWith("refs/tags/v") which is too permissive and allows invalid tags that
do not follow semantic versioning (e.g., refs/tags/vfoo, refs/tags/vbar-rc1).
Replace the prefix match with a strict regex pattern that enforces the exact
vx.y.z semantic versioning format. Apply this fix in two files:
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml at line 12 (anchor) and
.tekton/odh-llm-d-router-endpoint-picker-tag.yaml at line 12 (sibling). Both
files require the same CEL expression update to use a regex constraint that
matches only tags following the vx.y.z pattern.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ba624562-1451-4366-b303-20bb086a470d

📥 Commits

Reviewing files that changed from the base of the PR and between 6831d5f and 7c37027.

📒 Files selected for processing (2)
  • .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml
  • .tekton/odh-llm-d-router-endpoint-picker-tag.yaml

build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/cancel-in-progress: "false"
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.startsWith("refs/tags/v")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Pipelines-as-Code CEL examples for matching Git tag pushes and whether target_branch.matches() is supported for strict regex gating.

💡 Result:

In Pipelines-as-Code, you can use CEL (Common Expression Language) expressions in the pipelinesascode.tekton.dev/on-cel-expression annotation for advanced event matching, including Git tag pushes [1][2][3]. For Git tag pushes, the target_branch field holds the reference name (e.g., refs/tags/v1.0) [2][4]. You can use the .matches() method—which supports standard regular expressions—to perform strict gating on these tags [1][5]. Example: Match only specific version tags To trigger a PipelineRun only when a tag matching the pattern v1.* is pushed, use the following CEL expression: metadata: annotations: pipelinesascode.tekton.dev/on-cel-expression: | event == "push" && target_branch.matches("refs/tags/v1..*") Key points regarding CEL and tag matching: - Supported: The target_branch.matches() function is fully supported for regex gating [1][5]. - Precedence: When the on-cel-expression annotation is present, it takes priority, and other matching annotations (like on-target-branch or on-event) are ignored [2][3]. - Context: The target_branch field is available in the CEL evaluation context for both push and pull request events [1][5][3]. - Testing: You can validate your expressions against actual webhook payloads using the CLI command tkn pac cel [5]. For more complex scenarios, you can also access the full webhook payload via the body variable if you need to filter on deeper attributes of the tag push [6][7].

Citations:


🏁 Script executed:

#!/bin/bash
# Locate and inspect both Tekton YAML files
find . -name "*odh-llm-d-router-disagg-sidecar-tag.yaml" -o -name "*odh-llm-d-router-endpoint-picker-tag.yaml" | head -20

Repository: opendatahub-io/llm-d-router

Length of output: 174


🏁 Script executed:

# Read the files to confirm the CEL expression on line 12
if [ -f ".tekton/odh-llm-d-router-disagg-sidecar-tag.yaml" ]; then
  echo "=== odh-llm-d-router-disagg-sidecar-tag.yaml ===" 
  sed -n '10,15p' .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml
fi

if [ -f ".tekton/odh-llm-d-router-endpoint-picker-tag.yaml" ]; then
  echo "=== odh-llm-d-router-endpoint-picker-tag.yaml ===" 
  sed -n '10,15p' .tekton/odh-llm-d-router-endpoint-picker-tag.yaml
fi

Repository: opendatahub-io/llm-d-router

Length of output: 891


Enforce exact vx.y.z tag policy in CEL, not only prefix match (CWE-20).

startsWith("refs/tags/v") permits non-release tags (e.g., refs/tags/vfoo, refs/tags/vbar-rc1) while the objective requires vx.y.z semantic versioning.

  • .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml#L12: replace with strict regex match.
  • .tekton/odh-llm-d-router-endpoint-picker-tag.yaml#L12: apply the same fix.
Suggested CEL hardening
-    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.startsWith("refs/tags/v")
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.matches("^refs/tags/v[0-9]+\\.[0-9]+\\.[0-9]+$")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.startsWith("refs/tags/v")
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch.matches("^refs/tags/v[0-9]+\\.[0-9]+\\.[0-9]+$")
📍 Affects 2 files
  • .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml#L12-L12 (this comment)
  • .tekton/odh-llm-d-router-endpoint-picker-tag.yaml#L12-L12
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml at line 12, The CEL
expression in the pipelinesascode.tekton.dev/on-cel-expression field uses
startsWith("refs/tags/v") which is too permissive and allows invalid tags that
do not follow semantic versioning (e.g., refs/tags/vfoo, refs/tags/vbar-rc1).
Replace the prefix match with a strict regex pattern that enforces the exact
vx.y.z semantic versioning format. Apply this fix in two files:
.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml at line 12 (anchor) and
.tekton/odh-llm-d-router-endpoint-picker-tag.yaml at line 12 (sibling). Both
files require the same CEL expression update to use a regex constraint that
matches only tags following the vx.y.z pattern.

Comment on lines +36 to +37
- name: revision
value: main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable resolver refs in tag-triggered PipelineRuns
rg -n --glob '.tekton/*-tag.yaml' 'name:\s*revision|value:\s*main' .tekton

Repository: opendatahub-io/llm-d-router

Length of output: 502


Pin pipelineRef to an immutable commit/tag, not main (CWE-494).

Using revision: main in tag-triggered PipelineRuns executes mutable remote pipeline code at runtime, exposing the CI/CD supply chain.

  • .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml:37: replace revision: main with a commit SHA or immutable release tag.
  • .tekton/odh-llm-d-router-endpoint-picker-tag.yaml:37: apply the same pinning strategy.
Suggested patch pattern
   pipelineRef:
     resolver: git
     params:
     - name: url
       value: https://github.com/opendatahub-io/odh-konflux-central.git
     - name: revision
-      value: main
+      value: <immutable-commit-sha-or-immutable-release-tag>
     - name: pathInRepo
       value: pipeline/multi-arch-container-build.yaml
📍 Affects 2 files
  • .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml#L36-L37 (this comment)
  • .tekton/odh-llm-d-router-endpoint-picker-tag.yaml#L36-L37
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml around lines 36 - 37, The
revision parameter in both PipelineRun files is set to the mutable `main` branch
reference, which poses a supply chain security risk by executing potentially
changed remote pipeline code at runtime. In
`.tekton/odh-llm-d-router-disagg-sidecar-tag.yaml` at lines 36-37, replace the
`revision: main` value with a specific immutable commit SHA or release tag.
Apply the identical change to
`.tekton/odh-llm-d-router-endpoint-picker-tag.yaml` at lines 36-37, ensuring
both files pin their pipelineRef revisions to the same immutable identifier to
maintain consistency and security.

Comment thread .tekton/odh-llm-d-router-disagg-sidecar-tag.yaml
Comment thread .tekton/odh-llm-d-router-endpoint-picker-tag.yaml

@Gregory-Pereira Gregory-Pereira left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@zdtsw zdtsw merged commit aec3849 into opendatahub-io:main Jun 18, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants