Central configuration repository for Red Hat OpenShift AI (RHOAI) Konflux CI/CD. This repo manages two synchronization systems that keep RHOAI component repositories consistent: Pipeline Sync and Renovate Sync.
RHOAI is an OpenShift operator built on top of Open Data Hub (ODH). Source code flows through a series of forks:
upstream repos (if applicable) → ODH repos → RHOAI repo (main) → RHOAI repo (release branch) → build and delivery
Builds run on Konflux, which uses Tekton pipelines-as-code. Each component repository has a .tekton/ directory containing PipelineRun definitions that tell Konflux how to build the component's container image(s).
Rather than managing PipelineRun definitions independently in each of the 48+ component repositories, this repo serves as the single source of truth. PipelineRun files are authored and maintained here, then automatically synced to component repos.
konflux-central component repos
┌──────────────────────────────────┐ ┌──────────────────────────┐
│ pipelineruns/{component}/.tekton/│ ── sync ──► │ .tekton/ │
│ ├── component-v3-4-push.yaml │ │ ├── component-v3-4-... │
│ └── component-v3-4-pr.yaml │ │ └── component-v3-4-... │
│ │ └──────────────────────────┘
│ pipelines/ │
│ ├── container-build.yaml │ ◄── referenced by pipelineruns
│ ├── multi-arch-container-... │
│ └── fbc-fragment-build.yaml │
└──────────────────────────────────┘
The .tekton/ directories in component repos should be considered to be read-only. All changes must be made here in konflux-central.
-
pipelines/— Reusable Tekton pipeline definitions shared by all componentscontainer-build.yaml— Single-architecture container buildsmulti-arch-container-build.yaml— Multi-platform builds (amd64, arm64, ppc64le, s390x)fbc-fragment-build.yaml— File-Based Catalog fragment builds
-
pipelineruns/— Component-specific PipelineRun definitions, organized aspipelineruns/{component}/.tekton/- Files follow the naming pattern:
{component}-{version}-{trigger}.yaml - Triggers:
push(builds on merge),pull-request(validates PRs),scheduled(nightly/periodic)
- Files follow the naming pattern:
-
.tekton/— Pull request pipelines for this repo itself (canary builds to validate pipeline changes)
| Branch | Purpose |
|---|---|
main |
Development branch. Contains pull request pipelines and tooling only — no push pipelines. |
rhoai-X.Y |
Release branches (e.g., rhoai-2.16, rhoai-3.4). Contain push and PR pipelineruns for all components in that release. Z-stream releases (e.g., v2.16.5) continue on the same rhoai-X.Y branch — there is no separate branch per patch version. See Z-Stream Updates for how to bump the version. |
rhoai-X.Y-ea.N |
Early access release branches (e.g., rhoai-3.4-ea.2). Same structure as release branches. |
Unlike source code repos, changes on main do not flow to release branches. Each branch is independent. |
The sync-pipelineruns GitHub Actions workflow runs automatically when files under pipelineruns/ are pushed to main or any rhoai-* branch. It:
- Detects which component directories changed
- Generates a sync matrix via
generate_pipelinerun_sync_config.py - Copies each component's
.tekton/directory to the corresponding component repository - Commits with a message linking back to the triggering commit
The workflow can also be triggered manually via workflow_dispatch for selective syncing or dry-run testing. The component dropdown in the workflow dispatch UI is automatically kept up to date by the update-repository-list workflow, which runs whenever pipelineruns/ changes.
To skip sync on a commit, include [skip-sync] in the commit message.
The pipelinerun-replicator workflow automates creation of new release branches:
- Takes a source branch (e.g.,
rhoai-3.3) and target version (e.g.,rhoai-3.4,v3.4.0) - Copies all pipelinerun files, updating version references, file names, and labels
- Commits with
[skip-sync]to prevent immediate sync
The apply-z-stream-changes workflow increments patch versions (e.g., v3.4.0 → v3.4.1) across all pipelinerun version labels in a release branch.
- Create
pipelineruns/{component-name}/.tekton/ - Add PipelineRun YAML files following the naming convention
- Reference the appropriate pipeline from
pipelines/ - Configure trigger annotations for push/PR events
- Push to the appropriate release branch — the sync workflow will distribute the files
- PRs to
rhoai-*branches trigger validation pipelines in.tekton/(canary builds) - The validate-pipelineruns workflow runs structural validation on PRs — see docs/validate-pipelineruns.md for details
Centralized management and synchronization of Renovate configuration files across RHOAI component repositories. Renovate automates dependency update PRs (e.g., base image digest bumps, Tekton task bundle updates).
- Author configs in the
renovate/directory of this repository - Map configs to repos by editing
config.yaml - Run the sync via the sync-renovate-configs GitHub Actions workflow (manual trigger)
| Config | Purpose | Target Repos |
|---|---|---|
default-renovate.json5 |
Standard RHOAI renovate config. Auto-merges digest-only updates for Dockerfile.konflux files, tracks RPM updates. |
Most RHOAI component repos (~35) |
custom-renovate.json5 |
Tracks container image digests in additional-images-patch.yaml files. |
RHOAI-Build-Config |
llama-stack-renovate.json5 |
Tracks base images, PyPI packages, and GitLab wheel artifacts. | llama-stack-distribution |
pipelines-renovate.json5 |
Maintains Tekton task bundle references in pipeline YAML files. Digest-only updates, auto-merge. | This repo (konflux-central) |
The .json5 source files are compiled to .json distribution files for sync.
- renovate-config: "renovate/default-renovate-distribution.json"
sync-repositories:
- name: "red-hat-data-services/trustyai-explainability"
- name: "red-hat-data-services/argo-workflows"
targetFilePath: "renovate.json" # optional, default: .github/renovate.json
- renovate-config: "renovate/custom-renovate-distribution.json"
sync-repositories:
- name: "red-hat-data-services/RHOAI-Build-Config"renovate-config: Path to the distribution JSON file inrenovate/sync-repositories: List of target repositoriestargetFilePath(optional): Custom destination path for the config file. Defaults to.github/renovate.json