Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,16 @@ Manage plugins in the [rhdh-plugin-export-overlays](https://github.com/redhat-de

- **[overlay](./skills/overlay/SKILL.md)** — Onboard new plugins, update versions, fix CI failures, triage and analyze PRs, trigger `/publish`. Covers both plugin-owner and core-team workflows.

### Konflux / Tekton

Update Konflux task digests and apply `MIGRATION.md` pipeline changes in [rhdh-plugin-catalog](https://gitlab.cee.redhat.com/rhidp/rhdh-plugin-catalog) or [rhdh](https://gitlab.cee.redhat.com/rhidp/rhdh) midstream.

- **[konflux-tekton-updates](./skills/konflux-tekton-updates/SKILL.md)** — Run `.tekton/updateDigests.sh --minor --no-push`, apply [build-definitions](https://github.com/konflux-ci/build-definitions) task migrations, update shared pipelines/templates and PLR generators. Repo-specific file lists: [plugin-catalog](./skills/konflux-tekton-updates/references/plugin-catalog.md), [RHDH midstream](./skills/konflux-tekton-updates/references/rhdh-midstream.md).

```bash
npx skills add redhat-developer/rhdh-skill --skill konflux-tekton-updates
```

### Local Testing

Test plugins in a local RHDH instance before deploying.
Expand Down
93 changes: 93 additions & 0 deletions skills/konflux-tekton-updates/SKILL.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
---
name: konflux-tekton-updates
description: >-
Bumps Konflux Tekton task digests with .tekton/updateDigests.sh --minor --no-push,
applies konflux-ci/build-definitions MIGRATION.md pipeline fixes, and regenerates
PipelineRuns. Use for rhdh-plugin-catalog, RHDH midstream (4-rhdh), Konflux task
minor bumps, prefetch-dependencies-oci-ta, build-image-index, or updateDigests.sh.
---

# Konflux Tekton updates

## Goal

After a **minor** Konflux task tag bump, update `.tekton` pipelines and generators so builds keep working. Apply what each `MIGRATION.md` says; do **not** add drift tests that block future Konflux updates.

## Prerequisites

`skopeo`, `jq` (>= 1.7), `yq`. Optional: `gh` for PR creation from scripts.

## Commit locally; never push without human review

| Script | Flag | Effect |
|--------|------|--------|
| `updateDigests.sh` | `--no-push` / `--nopush` (`-p`) | Commit locally; no push/PR |
| `updateDigests.sh` | `--minor` | Disables push; use with `--no-push` for clarity |
| `updateDigests.sh` | `--no-commit` / `-n` | Preview only |
| `generatePipelineRunsForPlugins.sh` | `--nopush` | Commit locally; no push |
| `generatePipelineRunsForPlugins.sh` | `--nocommit` | Write YAML only |

`generatePipelineRuns.sh` does not commit or push.

**Do not** run digest/generator scripts without `--no-push` / `--nopush` unless the user explicitly requests a push.

## Detect repo layout

| Marker in repo | Read |
|----------------|------|
| `.tekton/generatePipelineRunsForPlugins.sh` | [references/plugin-catalog.md](references/plugin-catalog.md) |
| `.tekton-templates/rhdh-pipeline.yaml` | [references/rhdh-midstream.md](references/rhdh-midstream.md) |

If both exist, apply changes for the repo you are working in.

## Workflow

### 1. Bump digests

```bash
cd .tekton
./updateDigests.sh --minor --no-push
```

- Updates `tag@sha256` in `*.yaml` (and `.tekton-templates/*.yaml` in RHDH midstream).
- Tag changes list `MIGRATION.md` URLs under `konflux-ci/build-definitions`.
- Digest-only: `./updateDigests.sh --no-push -q`

Review `git diff` for `quay.io/konflux-ci/tekton-catalog/task-*` changes.

### 2. Apply migrations

For each URL from `updateDigests.sh` (or from the diff):

1. Read `MIGRATION.md`.
2. Apply **only** documented user actions.
3. Skip “no action required” sections.

### 3. Regenerate (optional)

After fixing shared pipelines/templates and generator scripts:

- **plugin-catalog:** `./generatePipelineRunsForPlugins.sh -v <x.y.z> --nopush`
- **RHDH midstream:** `./generatePipelineRuns.sh -t <x.y>`

### 4. Human review and push

Human reviews the full diff, then `git push` or opens a PR.

## Known migration patterns

Use live `MIGRATION.md` as source of truth. Common cases:

| Task | Action |
|------|--------|
| `prefetch-dependencies-oci-ta` 0.2→0.3 | Remove `dev-package-managers`; add pipeline param `enable-package-registry-proxy` (default `"true"`) and pass to prefetch task |
| `build-image-index` 0.2→0.3 | Remove `COMMIT_SHA` / `IMAGE_EXPIRES_AFTER` from **build-image-index** task only; keep `image-expires-after` on buildah/prefetch |
| `init` 0.3→0.4 | No pipeline changes |
| `init` 0.4.1→0.4.2 | Remove broken auto-added `sast-target-dirs` pipeline param if present |

## Anti-patterns

- Pushing without `--no-push` / `--nopush` and human sign-off.
- Leaving removed task params (`dev-package-managers`, `COMMIT_SHA` on `build-image-index`).
- Adding `verify_*` guards that fail on the next Konflux bump.
- Dropping `image-expires-after` from PLRs only because `build-image-index` no longer uses it.
33 changes: 33 additions & 0 deletions skills/konflux-tekton-updates/references/plugin-catalog.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# rhdh-plugin-catalog layout

## Files to update

| Location | When to edit |
|----------|----------------|
| `.tekton/oci-plugin-build-pipeline.yaml` | Shared `Pipeline`; most PLRs use `pipelineRef` |
| `.tekton/plugin-catalog-index-*-push.yaml` | Inline `pipelineSpec` (catalog index) |
| `.tekton/plugin-catalog-builder-*-{push,pull}.yaml` | Inline `pipelineSpec` (catalog builder) |
| `.tekton/*-push.yaml` (many components) | Usually `spec.params` only when migration adds pipeline params |
| `.tekton/*-pull.yaml` | Same when present |
| `.tekton/generatePipelineRunsForPlugins.sh` | Heredoc for regenerated PLRs + `*.Containerfile` |
| `.tekton/updateToStableBranch.py` | Version renames only — not Konflux migrations |

Plugin PLRs with `pipelineRef: oci-plugin-build-pipeline` inherit task wiring from the shared pipeline; add PLR `spec.params` when migrations require explicit pipeline parameters.

## Regenerate

```bash
cd .tekton
./generatePipelineRunsForPlugins.sh -v <x.y.z> --nopush
```

## Generator: new pipeline params

Add to the PipelineRun heredoc `spec.params` when `oci-plugin-build-pipeline` gains a param, e.g.:

```yaml
- name: enable-package-registry-proxy
value: "true"
```

Do not embed full `pipelineSpec` in the generator.
34 changes: 34 additions & 0 deletions skills/konflux-tekton-updates/references/rhdh-midstream.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# RHDH midstream layout (4-rhdh)

`updateDigests.sh` also updates `.tekton-templates/*.yaml` via `TEMPLATEPATH`.

## Files to update

Edit **templates first**, then regenerate or patch PLRs.

| Location | When to edit |
|----------|----------------|
| `.tekton-templates/rhdh-pipeline.yaml` | hub, operator, must-gather |
| `.tekton-templates/rhdh-operator-bundle.yaml` | operator-bundle (different task set) |
| `.tekton-templates/components.yaml` | Metadata for `generatePipelineRuns.sh` |
| `.tekton/rhdh-hub-<N>-{push,pull}.yaml` | From `rhdh-pipeline.yaml` |
| `.tekton/rhdh-operator-<N>-{push,pull}.yaml` | From `rhdh-pipeline.yaml` |
| `.tekton/rhdh-must-gather-<N>-{push,pull}.yaml` | From `rhdh-pipeline.yaml` |
| `.tekton/rhdh-operator-bundle-<N>-{push,pull}.yaml` | From `rhdh-operator-bundle.yaml` |
| `.tekton/rhdh-rag-content-<N>-{push,pull}.yaml` | Inline `pipelineSpec` — edit directly |
| `.tekton/fbc-<version>-push.yaml` | FBC pipelines; often `build-image-index` without prefetch |
| `.tekton/images-mirror-set.yaml` | Only if task bundles are referenced |

## Regenerate

```bash
cd .tekton
./generatePipelineRuns.sh -t <x.y>
```

Updates `rhdh-*-{push,pull}.yaml` and FBC `target_branch` placeholders in `fbc-*-push.yaml`.

## Generator: template changes

- Edit `pipelineSpec.params` and task `params` in `rhdh-pipeline.yaml` / `rhdh-operator-bundle.yaml`.
- `components.yaml` only if extending `generatePipelineRuns.sh` placeholders for per-component PLR params.
Loading