add pipelineruns for odh ci builds (#104)#114
Merged
sutaakar merged 2 commits intoopendatahub-io:devfrom Mar 10, 2026
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Central YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds a new Tekton PipelineRun manifest at .tekton/odh-training-operator-pull-request.yaml defining parameters, a git-resolver pipelineRef (pathInRepo pipeline/multi-arch-container-build.yaml, revision main), taskRunTemplate serviceAccount, and a git-auth workspace secret. Refactors .tekton/odh-training-operator-push.yaml by removing an inline pipelineSpec and replacing it with a pipelineRef (git resolver with git-url, revision, pathInRepo), updates labels/metadata from opendatahub-release/... to opendatahub-builds/..., changes the CEL trigger from Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Security & Configuration Concerns
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.tekton/odh-training-operator-pull-request.yaml:
- Line 52: The file currently ends with the YAML line "status: {}" but is
missing a trailing newline; update the file so it ends with "status: {}"
followed by a single newline character, save the change and commit it so
end-of-file-fixer stops failing.
- Around line 26-34: The PR image tag is too generic (output-image value
'quay.io/opendatahub/training-operator:odh-pr' and additional-tags
'odh-pr-{{revision}}') and allows concurrent PRs to overwrite each other; change
the mutable tag to include the PR number and keep the revision for uniqueness.
Update the output-image/tag or add an additional-tag so you publish a
PR-specific mutable tag like 'odh-pr-{{pull_request_number}}' (and optionally
'odh-pr-{{pull_request_number}}-{{revision}}'), while retaining the existing
'odh-pr-{{revision}}' tag in additional-tags.
- Line 5: The repo annotation build.appstudio.openshift.io/repo is pinned to a
fixed upstream URL; change it to use the PR's source URL variable (e.g., replace
the hardcoded
https://github.com/opendatahub-io/training-operator?rev={{revision}} value with
the template variable that holds the PR source, such as {{source_url}} with the
appropriate rev/query appended) so forked PRs point to the correct repository
source; update the annotation key build.appstudio.openshift.io/repo in
.tekton/odh-training-operator-pull-request.yaml to reference the template
variable instead of the upstream constant.
- Around line 37-45: The pipelineRef currently pins to a moving branch via the
params entry name: revision with value: main; change that value to an immutable
identifier (the specific commit SHA or a tagged release) so the pipeline uses a
fixed revision—update the params -> name: revision value to the target commit
SHA or release tag referenced in the upstream repo to prevent non-deterministic
builds and supply-chain drift.
In @.tekton/odh-training-operator-push.yaml:
- Line 46: The file ends with the line "status: {}" but is missing a trailing
newline; edit the file so it ends with a single newline character (ensure the
final line "status: {}" is terminated with '\n'), save and commit the change so
end-of-file-fixer no longer fails.
- Around line 25-26: The pipeline currently sets the image only to the floating
tag "quay.io/opendatahub/training-operator:odh-stable" (output-image), losing
commit-level traceability; change the pipeline/task that uses the output-image
parameter so it pushes both the stable tag and an immutable tag (e.g.,
quay.io/opendatahub/training-operator:<COMMIT_SHA> or :<RELEASE_VERSION>) — keep
output-image pointing to odh-stable as the alias but add a second parameter or
derive a second tag (name it e.g. output-image-immutable) and update the
build/push steps to push both tags (reference the output-image param and the new
immutable tag variable when invoking the container build/push).
- Around line 31-39: The pipelineRef currently uses the mutable branch name
"main" in the params (params -> name: revision -> value: main); update this to a
fixed commit SHA or an immutable release tag to ensure reproducible builds and
eliminate supply-chain risk, and make the same change wherever
pipelineRef.params.revision is set (e.g., in
.tekton/odh-training-operator-push.yaml and
.tekton/odh-training-operator-pull-request.yaml) so both references point to the
exact same commit or tag.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: c2173b03-1a54-486a-a068-4220c16784d9
📒 Files selected for processing (2)
.tekton/odh-training-operator-pull-request.yaml.tekton/odh-training-operator-push.yaml
| kind: PipelineRun | ||
| metadata: | ||
| annotations: | ||
| build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/training-operator?rev={{revision}} |
There was a problem hiding this comment.
Use the actual PR source in the repo annotation.
git-url comes from {{source_url}}, but this annotation is pinned to the upstream repo. For forked PRs, that can point provenance at the wrong repository and even at a commit that does not exist there.
Diff
- build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/training-operator?rev={{revision}}
+ build.appstudio.openshift.io/repo: '{{source_url}}?rev={{revision}}'📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/training-operator?rev={{revision}} | |
| build.appstudio.openshift.io/repo: '{{source_url}}?rev={{revision}}' |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.tekton/odh-training-operator-pull-request.yaml at line 5, The repo
annotation build.appstudio.openshift.io/repo is pinned to a fixed upstream URL;
change it to use the PR's source URL variable (e.g., replace the hardcoded
https://github.com/opendatahub-io/training-operator?rev={{revision}} value with
the template variable that holds the PR source, such as {{source_url}} with the
appropriate rev/query appended) so forked PRs point to the correct repository
source; update the annotation key build.appstudio.openshift.io/repo in
.tekton/odh-training-operator-pull-request.yaml to reference the template
variable instead of the upstream constant.
Comment on lines
+26
to
+34
| - name: output-image | ||
| value: quay.io/opendatahub/training-operator:odh-pr | ||
| - name: dockerfile | ||
| value: build/images/training-operator/Dockerfile.rhoai | ||
| - name: path-context | ||
| value: . | ||
| - name: additional-tags | ||
| value: | ||
| - 'odh-pr-{{revision}}' |
There was a problem hiding this comment.
Scope the mutable PR tag to a single PR.
Publishing every pull-request build as odh-pr lets concurrent PRs overwrite each other's image. Anything consuming that tag can test the wrong artifact. Include {{pull_request_number}} in the mutable tag and keep the revision tag for uniqueness.
Diff
- name: output-image
- value: quay.io/opendatahub/training-operator:odh-pr
+ value: quay.io/opendatahub/training-operator:odh-pr-{{pull_request_number}}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - name: output-image | |
| value: quay.io/opendatahub/training-operator:odh-pr | |
| - name: dockerfile | |
| value: build/images/training-operator/Dockerfile.rhoai | |
| - name: path-context | |
| value: . | |
| - name: additional-tags | |
| value: | |
| - 'odh-pr-{{revision}}' | |
| - name: output-image | |
| value: quay.io/opendatahub/training-operator:odh-pr-{{pull_request_number}} | |
| - name: dockerfile | |
| value: build/images/training-operator/Dockerfile.rhoai | |
| - name: path-context | |
| value: . | |
| - name: additional-tags | |
| value: | |
| - 'odh-pr-{{revision}}' |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.tekton/odh-training-operator-pull-request.yaml around lines 26 - 34, The PR
image tag is too generic (output-image value
'quay.io/opendatahub/training-operator:odh-pr' and additional-tags
'odh-pr-{{revision}}') and allows concurrent PRs to overwrite each other; change
the mutable tag to include the PR number and keep the revision for uniqueness.
Update the output-image/tag or add an additional-tag so you publish a
PR-specific mutable tag like 'odh-pr-{{pull_request_number}}' (and optionally
'odh-pr-{{pull_request_number}}-{{revision}}'), while retaining the existing
'odh-pr-{{revision}}' tag in additional-tags.
Comment on lines
+37
to
+45
| pipelineRef: | ||
| resolver: git | ||
| params: | ||
| - name: url | ||
| value: https://github.com/opendatahub-io/odh-konflux-central.git | ||
| - name: revision | ||
| value: main | ||
| - name: pathInRepo | ||
| value: pipeline/multi-arch-container-build.yaml |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
git ls-remote https://github.com/opendatahub-io/odh-konflux-central.git refs/heads/main
curl -fsSL https://raw.githubusercontent.com/opendatahub-io/odh-konflux-central/main/pipeline/multi-arch-container-build.yaml | sed -n '1,120p'Repository: opendatahub-io/training-operator
Length of output: 5024
Pin the external pipeline to an immutable revision.
Resolving the build logic from another repository's main branch (currently at d6d5c5c256566d5af2d409dd84083c59cba573c9) creates non-deterministic builds and supply-chain drift outside this repo (CWE-494, CWE-829). Pin revision to the commit SHA or an immutable release tag.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.tekton/odh-training-operator-pull-request.yaml around lines 37 - 45, The
pipelineRef currently pins to a moving branch via the params entry name:
revision with value: main; change that value to an immutable identifier (the
specific commit SHA or a tagged release) so the pipeline uses a fixed
revision—update the params -> name: revision value to the target commit SHA or
release tag referenced in the upstream repo to prevent non-deterministic builds
and supply-chain drift.
Comment on lines
25
to
+26
| - name: output-image | ||
| value: quay.io/opendatahub/training-operator:v1.9.0-odh-3 | ||
| value: quay.io/opendatahub/training-operator:odh-stable |
There was a problem hiding this comment.
Keep an immutable tag in addition to odh-stable.
This change drops the versioned image name and leaves stable builds publishing only a floating tag. That removes commit-level traceability and makes rollback/debugging much harder. Keep odh-stable as an alias, but also publish a commit- or release-specific tag.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.tekton/odh-training-operator-push.yaml around lines 25 - 26, The pipeline
currently sets the image only to the floating tag
"quay.io/opendatahub/training-operator:odh-stable" (output-image), losing
commit-level traceability; change the pipeline/task that uses the output-image
parameter so it pushes both the stable tag and an immutable tag (e.g.,
quay.io/opendatahub/training-operator:<COMMIT_SHA> or :<RELEASE_VERSION>) — keep
output-image pointing to odh-stable as the alias but add a second parameter or
derive a second tag (name it e.g. output-image-immutable) and update the
build/push steps to push both tags (reference the output-image param and the new
immutable tag variable when invoking the container build/push).
Comment on lines
+31
to
+39
| pipelineRef: | ||
| resolver: git | ||
| params: | ||
| - description: Source Repository URL | ||
| name: git-url | ||
| type: string | ||
| - default: "" | ||
| description: Revision of the Source Repository | ||
| name: revision | ||
| type: string | ||
| - description: Fully Qualified Output Image | ||
| name: output-image | ||
| type: string | ||
| - default: . | ||
| description: Path to the source code of an application's component from where | ||
| to build image. | ||
| name: path-context | ||
| type: string | ||
| - default: Dockerfile | ||
| description: Path to the Dockerfile inside the context specified by parameter | ||
| path-context | ||
| name: dockerfile | ||
| type: string | ||
| - default: "true" | ||
| description: Force rebuild image | ||
| name: rebuild | ||
| type: string | ||
| - default: "false" | ||
| description: Skip checks against built image | ||
| name: skip-checks | ||
| type: string | ||
| - default: "false" | ||
| description: Execute the build with network isolation | ||
| name: hermetic | ||
| type: string | ||
| - default: "" | ||
| description: Build dependencies to be prefetched by Cachi2 | ||
| name: prefetch-input | ||
| type: string | ||
| - default: "" | ||
| description: Image tag expiration time, time values could be something like | ||
| 1h, 2d, 3w for hours, days, and weeks, respectively. | ||
| name: image-expires-after | ||
| - default: "false" | ||
| description: Build a source image. | ||
| name: build-source-image | ||
| type: string | ||
| - default: "false" | ||
| description: Add built image into an OCI image index | ||
| name: build-image-index | ||
| type: string | ||
| - default: [] | ||
| description: Array of --build-arg values ("arg=value" strings) for buildah | ||
| name: build-args | ||
| type: array | ||
| - default: "" | ||
| description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file | ||
| name: build-args-file | ||
| type: string | ||
| - default: "false" | ||
| description: Whether to enable privileged mode, should be used only with remote | ||
| VMs | ||
| name: privileged-nested | ||
| type: string | ||
| results: | ||
| - description: "" | ||
| name: IMAGE_URL | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - description: "" | ||
| name: IMAGE_DIGEST | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - description: "" | ||
| name: CHAINS-GIT_URL | ||
| value: $(tasks.clone-repository.results.url) | ||
| - description: "" | ||
| name: CHAINS-GIT_COMMIT | ||
| value: $(tasks.clone-repository.results.commit) | ||
| tasks: | ||
| - name: rhoai-init | ||
| params: | ||
| - name: pipelinerun-name | ||
| value: "$(context.pipelineRun.name)" | ||
| taskSpec: | ||
| results: | ||
| - description: Notification text to be posted to slack | ||
| name: slack-message-failure-text | ||
| steps: | ||
| - image: quay.io/rhoai-konflux/alpine:latest | ||
| name: rhoai-init | ||
| env: | ||
| - name: slack_message | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: slack-secret | ||
| key: slack-component-failure-notification | ||
| script: | | ||
| pipelinerun_name=$(params.pipelinerun-name) | ||
| echo "pipelinerun-name = $pipelinerun_name" | ||
| application_name=opendatahub-release | ||
| echo "application-name = $application_name" | ||
|
|
||
| component_name=${pipelinerun_name/-on-*/} | ||
| echo "component-name = $component_name" | ||
|
|
||
| KONFLUX_SERVER="https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com" | ||
| build_url="${KONFLUX_SERVER}/ns/open-data-hub-tenant/applications/${application_name}/pipelineruns/${pipelinerun_name}/logs" | ||
|
|
||
| build_time="$(date +%Y-%m-%dT%H:%M:%S)" | ||
|
|
||
| slack_message=${slack_message/__BUILD__URL__/$build_url} | ||
| slack_message=${slack_message/__PIPELINERUN__NAME__/$pipelinerun_name} | ||
| slack_message=${slack_message/__BUILD__TIME__/$build_time} | ||
|
|
||
| echo -en "${slack_message}" > "$(results.slack-message-failure-text.path)" | ||
| - name: init | ||
| params: | ||
| - name: image-url | ||
| value: $(params.output-image) | ||
| - name: rebuild | ||
| value: $(params.rebuild) | ||
| - name: skip-checks | ||
| value: $(params.skip-checks) | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: init | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:7a24924417260b7094541caaedd2853dc8da08d4bb0968f710a400d3e8062063 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| runAfter: | ||
| - rhoai-init | ||
| - name: clone-repository | ||
| params: | ||
| - name: url | ||
| value: $(params.git-url) | ||
| - name: revision | ||
| value: $(params.revision) | ||
| - name: ociStorage | ||
| value: $(params.output-image).git | ||
| - name: ociArtifactExpiresAfter | ||
| value: $(params.image-expires-after) | ||
| runAfter: | ||
| - init | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: git-clone-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ecf57d5a6697ce709bee65b62781efe79a10b0c2b95e05576442b67fbd61744 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(tasks.init.results.build) | ||
| operator: in | ||
| values: | ||
| - "true" | ||
| workspaces: | ||
| - name: basic-auth | ||
| workspace: git-auth | ||
| - name: prefetch-dependencies | ||
| params: | ||
| - name: input | ||
| value: $(params.prefetch-input) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) | ||
| - name: ociStorage | ||
| value: $(params.output-image).prefetch | ||
| - name: ociArtifactExpiresAfter | ||
| value: $(params.image-expires-after) | ||
| runAfter: | ||
| - clone-repository | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: prefetch-dependencies-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:d48c621ae828a3cbca162e12ec166210d2d77a7ba23b0e5d60c4a1b94491adeb | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| workspaces: | ||
| - name: git-basic-auth | ||
| workspace: git-auth | ||
| - name: netrc | ||
| workspace: netrc | ||
| - name: build-container | ||
| params: | ||
| - name: IMAGE | ||
| value: $(params.output-image) | ||
| - name: DOCKERFILE | ||
| value: $(params.dockerfile) | ||
| - name: CONTEXT | ||
| value: $(params.path-context) | ||
| - name: HERMETIC | ||
| value: $(params.hermetic) | ||
| - name: PREFETCH_INPUT | ||
| value: $(params.prefetch-input) | ||
| - name: IMAGE_EXPIRES_AFTER | ||
| value: $(params.image-expires-after) | ||
| - name: COMMIT_SHA | ||
| value: $(tasks.clone-repository.results.commit) | ||
| - name: BUILD_ARGS | ||
| value: | ||
| - $(params.build-args[*]) | ||
| - name: BUILD_ARGS_FILE | ||
| value: $(params.build-args-file) | ||
| - name: PRIVILEGED_NESTED | ||
| value: $(params.privileged-nested) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
| - name: CACHI2_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
| runAfter: | ||
| - prefetch-dependencies | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: buildah-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:6ac9d16f598c14a4b56e662eccda0a438e94aa8f87dd27a3ea0ff1abc6e00c66 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(tasks.init.results.build) | ||
| operator: in | ||
| values: | ||
| - "true" | ||
| - name: build-image-index | ||
| params: | ||
| - name: IMAGE | ||
| value: $(params.output-image) | ||
| - name: COMMIT_SHA | ||
| value: $(tasks.clone-repository.results.commit) | ||
| - name: IMAGE_EXPIRES_AFTER | ||
| value: $(params.image-expires-after) | ||
| - name: ALWAYS_BUILD_INDEX | ||
| value: $(params.build-image-index) | ||
| - name: IMAGES | ||
| value: | ||
| - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) | ||
| runAfter: | ||
| - build-container | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: build-image-index | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:462ecbf94ec44a8b770d6ef8838955f91f57ee79795e5c18bdc0fcb0df593742 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(tasks.init.results.build) | ||
| operator: in | ||
| values: | ||
| - "true" | ||
| - name: build-source-image | ||
| params: | ||
| - name: BINARY_IMAGE | ||
| value: $(params.output-image) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
| - name: CACHI2_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: source-build-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:56fa2cbfc04bad4765b7fe1fa8022587f4042d4e8533bb5f65311d46b43226ee | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(tasks.init.results.build) | ||
| operator: in | ||
| values: | ||
| - "true" | ||
| - input: $(params.build-source-image) | ||
| operator: in | ||
| values: | ||
| - "true" | ||
| - name: deprecated-base-image-check | ||
| params: | ||
| - name: IMAGE_URL | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - name: IMAGE_DIGEST | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: deprecated-image-check | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:eb8136b543147b4a3e88ca3cc661ca6a11e303f35f0db44059f69151beea8496 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: clair-scan | ||
| params: | ||
| - name: image-digest | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: clair-scan | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:7c73e2beca9b8306387efeaf775831440ec799b05a5f5c008a65bb941a1e91f6 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: ecosystem-cert-preflight-checks | ||
| params: | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: ecosystem-cert-preflight-checks | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dea8d9b4bec3e99d612d799798acf132df48276164b5193ea68f9f3c25ae425b | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: sast-snyk-check | ||
| params: | ||
| - name: image-digest | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
| - name: CACHI2_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: sast-snyk-check-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:89aead32dc21404e4e0913be9668bdd2eea795db3e4caa762fb619044e479cb8 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: clamav-scan | ||
| params: | ||
| - name: image-digest | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: clamav-scan | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:59094118aa07d5b0199565c4e0b2d0f4feb9a4741877c8716877572e2c4804f9 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: sast-coverity-check | ||
| params: | ||
| - name: image-digest | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - name: IMAGE | ||
| value: $(params.output-image) | ||
| - name: DOCKERFILE | ||
| value: $(params.dockerfile) | ||
| - name: CONTEXT | ||
| value: $(params.path-context) | ||
| - name: HERMETIC | ||
| value: $(params.hermetic) | ||
| - name: PREFETCH_INPUT | ||
| value: $(params.prefetch-input) | ||
| - name: IMAGE_EXPIRES_AFTER | ||
| value: $(params.image-expires-after) | ||
| - name: COMMIT_SHA | ||
| value: $(tasks.clone-repository.results.commit) | ||
| - name: BUILD_ARGS | ||
| value: | ||
| - $(params.build-args[*]) | ||
| - name: BUILD_ARGS_FILE | ||
| value: $(params.build-args-file) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
| - name: CACHI2_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
| runAfter: | ||
| - coverity-availability-check | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: sast-coverity-check-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:87af64576088ba68f2a5b89998b7ae9e92d7e4f039274e4be6000eff6ce0d95d | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - input: $(tasks.coverity-availability-check.results.STATUS) | ||
| operator: in | ||
| values: | ||
| - success | ||
| - name: coverity-availability-check | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: coverity-availability-check | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:8b58c4fae00c0dfe3937abfb8a9a61aa3c408cca4278b817db53d518428d944e | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: sast-shell-check | ||
| params: | ||
| - name: image-digest | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
| - name: CACHI2_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: sast-shell-check-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:57b3262138eb06186ae7375f84ca53788bba2a66cfd03d39cb82c78df050aba5 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: sast-unicode-check | ||
| params: | ||
| - name: image-digest | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
| - name: CACHI2_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: sast-unicode-check-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:df185dbe4e2852668f9c46f938dd752e90ea9c79696363378435a6499596c319 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| - name: apply-tags | ||
| params: | ||
| - name: IMAGE | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: apply-tags | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:3f89ba89cacf8547261b5ce064acce81bfe470c8ace127794d0e90aebc8c347d | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| - name: push-dockerfile | ||
| params: | ||
| - name: IMAGE | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - name: IMAGE_DIGEST | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| - name: DOCKERFILE | ||
| value: $(params.dockerfile) | ||
| - name: CONTEXT | ||
| value: $(params.path-context) | ||
| - name: SOURCE_ARTIFACT | ||
| value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: push-dockerfile-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:278f84550844c1c050a65536799f4b54e7c203e0ac51393aa75379dd974c82e9 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| - name: rpms-signature-scan | ||
| params: | ||
| - name: image-url | ||
| value: $(tasks.build-image-index.results.IMAGE_URL) | ||
| - name: image-digest | ||
| value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
| runAfter: | ||
| - build-image-index | ||
| taskRef: | ||
| params: | ||
| - name: name | ||
| value: rpms-signature-scan | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:297c2d8928aa3b114fcb1ba5d9da8b10226b68fed30706e78a6a5089c6cd30e3 | ||
| - name: kind | ||
| value: task | ||
| resolver: bundles | ||
| when: | ||
| - input: $(params.skip-checks) | ||
| operator: in | ||
| values: | ||
| - "false" | ||
| workspaces: | ||
| - name: git-auth | ||
| optional: true | ||
| - name: netrc | ||
| optional: true | ||
| - name: url | ||
| value: https://github.com/opendatahub-io/odh-konflux-central.git | ||
| - name: revision | ||
| value: main | ||
| - name: pathInRepo | ||
| value: pipeline/multi-arch-container-build.yaml |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Locate and examine the specific file
git ls-files .tekton/ | head -20Repository: opendatahub-io/training-operator
Length of output: 163
🏁 Script executed:
# Check if the file exists and read the relevant lines
if [ -f ".tekton/odh-training-operator-push.yaml" ]; then
echo "=== File exists ==="
wc -l ".tekton/odh-training-operator-push.yaml"
echo "=== Lines 25-45 ==="
sed -n '25,45p' ".tekton/odh-training-operator-push.yaml"
else
echo "File not found"
fiRepository: opendatahub-io/training-operator
Length of output: 772
🏁 Script executed:
# Search for all pipelineRef patterns in .tekton directory to check for similar issues
echo "=== All pipelineRef patterns in .tekton ==="
rg -A 5 'pipelineRef:' .tekton/Repository: opendatahub-io/training-operator
Length of output: 956
🏁 Script executed:
# Check if there are other files referencing external git pipelines with 'main' or other mutable references
echo "=== Files with revision references ==="
rg 'revision:' .tekton/ -A 1 -B 1Repository: opendatahub-io/training-operator
Length of output: 114
Pin the external pipeline revision to a commit SHA or release tag across all references.
The pipelineRef in both .tekton/odh-training-operator-push.yaml and .tekton/odh-training-operator-pull-request.yaml depend on the mutable main branch of odh-konflux-central. This creates supply-chain and reproducibility risk (CWE-494, CWE-829): builds are not deterministic if the external pipeline changes unexpectedly, and you have no control over what code executes during your CI/CD.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.tekton/odh-training-operator-push.yaml around lines 31 - 39, The
pipelineRef currently uses the mutable branch name "main" in the params (params
-> name: revision -> value: main); update this to a fixed commit SHA or an
immutable release tag to ensure reproducible builds and eliminate supply-chain
risk, and make the same change wherever pipelineRef.params.revision is set
(e.g., in .tekton/odh-training-operator-push.yaml and
.tekton/odh-training-operator-pull-request.yaml) so both references point to the
exact same commit or tag.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.tekton/odh-training-operator-push.yaml (1)
46-47:⚠️ Potential issue | 🟡 MinorEOF issue unresolved—pre-commit still failing.
Pipeline failure indicates
end-of-file-fixermodified the file. Line 47 appears to be an extra blank line. File should end withstatus: {}followed by exactly one newline character, no trailing blank line.Proposed fix
status: {} -Ensure the file ends with
status: {}\n(single newline after the closing brace, no additional blank line).,
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.tekton/odh-training-operator-push.yaml around lines 46 - 47, The file ends with an extra blank line causing end-of-file-fixer to modify it; update .tekton/odh-training-operator-push.yaml so the last non-whitespace content is the line "status: {}" and ensure the file terminates with exactly one newline character (i.e., remove the trailing blank line after the closing brace).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.tekton/odh-training-operator-push.yaml:
- Around line 46-47: The file ends with an extra blank line causing
end-of-file-fixer to modify it; update .tekton/odh-training-operator-push.yaml
so the last non-whitespace content is the line "status: {}" and ensure the file
terminates with exactly one newline character (i.e., remove the trailing blank
line after the closing brace).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: fb1223cc-cd06-4278-ab84-aee1248a8029
📒 Files selected for processing (2)
.tekton/odh-training-operator-pull-request.yaml.tekton/odh-training-operator-push.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- .tekton/odh-training-operator-pull-request.yaml
ChughShilpa
approved these changes
Mar 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
Fixes #<issue number>, #<issue number>, ...format, will close the issue(s) when PR gets merged):Fixes #
Checklist:
Summary by CodeRabbit