bootstrap konflux build pipelines

[rauhersu]

Summary by CodeRabbit

• New Features
  • Introduced automated pipelines for container image builds that include extensive validations.
  • Pipelines operate on both pull request and push events, ensuring efficient, reliable builds with integrated security and compliance checks.
  • Added new configuration files for Tekton PipelineRun to enhance the container image build process.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rauhersu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rauhersu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This pull request introduces two new Tekton PipelineRun configuration files that automate container image builds. The pipelines—one for pull-request events and one for push events—execute a series of tasks including repository cloning, container image building, and various validation checks (security scans, SAST checks, and deprecation verifications). Both pipelines use dynamic parameters, shared workspaces, and conditional task execution for error handling and dependency management, ensuring a streamlined CI/CD process.

Changes

Files	Change Summary
.tekton/recert-4-19-pull-request.yaml, .tekton/recert-4-19-push.yaml	Adds two new Tekton PipelineRun configuration files. The pull-request pipeline defines tasks for initializing, cloning, building the container, and executing checks (Clair scan, SAST-Snyk, and deprecated image checks). The push pipeline similarly automates builds, including dependency prefetch and image indexing.

Sequence Diagram(s)

Pull-Request Pipeline

sequenceDiagram
    participant PR as PipelineRun (PR Event)
    participant INIT as Init Task
    participant CLONE as Clone Repository
    participant BUILD as Build Container
    participant CLAIR as Clair Scan
    participant SAST as SAST-Snyk Check
    participant DEPREC as Deprecated Base Image Check

    PR->>INIT: Start initialization
    INIT->>CLONE: Trigger repository clone
    CLONE->>BUILD: On completion, build container image
    BUILD->>CLAIR: Trigger Clair Scan
    BUILD->>SAST: Trigger SAST-Snyk Check
    BUILD->>DEPREC: Trigger Deprecated Base Image Check

Loading

Push Pipeline

sequenceDiagram
    participant PR as PipelineRun (Push Event)
    participant INIT as Init Task
    participant CLONE as Clone Repository
    participant DEP as Prefetch Dependencies
    participant BUILD as Build Container
    participant SCAN as Security/SAST Checks
    participant INDEX as Image Index/Source Tasks

    PR->>INIT: Start initialization
    INIT->>CLONE: Trigger repository clone
    CLONE->>DEP: Prefetch dependencies
    DEP->>BUILD: Build container image
    BUILD->>SCAN: Initiate security and SAST checks
    BUILD-->>INDEX: On successful build, trigger indexing tasks

Loading

Suggested labels

lgtm

Suggested reviewers

• omertuc
• fontivan

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.tekton/recert-4-19-push.yaml (2)

1-12: Review Metadata and Annotation Formatting
The metadata block is comprehensive. In particular, the multiline setting of the pipelinesascode.tekton.dev/on-cel-expression (lines 10–11) should be verified for proper YAML formatting. Consider whether quoting the entire expression might help avoid parsing issues.

---

141-597: Assess Tasks Sequence and Dependencies
The tasks are arranged in a logical sequence with appropriate runAfter and when conditions. Each task references specific Tekton bundles with clearly defined parameters. As this section is extensive, consider periodic refactoring or modular segmentation to enhance maintainability.

.tekton/recert-4-19-pull-request.yaml (1)

144-594: Assess Tasks Sequence and Dependencies for PR
The tasks in the pull request pipeline are ordered with clear dependencies using runAfter and when clauses. Their configuration closely follows that of the push pipeline. As this section is extensive, consider future modularization to improve clarity and maintainability.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d7322d and 430c8ac.

📒 Files selected for processing (4)

• .tekton/recert-4-19-pull-request.yaml (1 hunks)
• .tekton/recert-4-19-push.yaml (1 hunks)
• .tekton/recert-4-19-pull-request.yaml (1 hunks)
• .tekton/recert-4-19-push.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build

🔇 Additional comments (16)

.tekton/recert-4-19-push.yaml (8)

13-18: Labels and Namespace Verification
Labels, the pipeline name (recert-4-19-on-push), and the namespace (telco-5g-tenant) are set clearly. Ensure that these values align with your deployment and organizational policies.

---

20-28: Inspect Top-level Pipeline Parameters
The parameters for git-url, revision, output-image, and dockerfile use templating syntax (e.g. {{source_url}}, {{revision}}) correctly. Please verify that these tokens resolve as expected during runtime.

---

29-34: Clear Pipeline Description
The description provided in the pipelineSpec (lines 30–34) is informative and outlines the purpose of the pipeline. Consider adding any additional usage guidance if needed for clarity.

---

35-48: Validate 'finally' Section – SBOM Task
The show-sbom task is well defined with proper parameters and bundle reference. Confirm that the value retrieved via $(tasks.build-image-index.results.IMAGE_URL) is reliably produced by the build-image-index task.

---

49-57: Validate 'finally' Section – Summary Task
The show-summary task effectively aggregates build results and repository details using context variables like $(context.pipelineRun.name). Ensure that the workspace binding and parameter passing meet your expected outcomes.

---

71-127: Examine PipelineSpec Parameter Definitions
The detailed parameter definitions inside the pipelineSpec (lines 71–127) cover build options such as path-context, rebuild, skip-checks, and others. The default values and types appear consistent; please double-check that these match your intended pipeline behavior.

---

128-137: Review Results Configuration
The results block is standard and correctly maps outputs from the build-image-index task. Verify that all result references remain consistent with the task definitions.

---

598-611: Review TaskRunTemplate and Workspace Setup
The taskRunTemplate is left empty (implying default behavior) and the workspaces are defined with a volume claim template for workspace along with optional git-auth and netrc workspaces. Confirm that the allocated storage (1Gi) and these bindings meet your requirements for build artifacts and source persistence.

.tekton/recert-4-19-pull-request.yaml (8)

1-13: Metadata for Pull Request Pipeline
The metadata is well tailored for pull request events. Notably, the inclusion of the build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' annotation (line 7) enhances traceability, and setting pipelinesascode.tekton.dev/cancel-in-progress to "true" (line 9) appropriately prioritizes new PR events.

---

14-19: Verify Labels and Namespace
The labels, pipeline name (recert-4-19-on-pull-request), and the namespace (telco-5g-tenant) are clearly specified. These settings are consistent with the push pipeline and should ensure uniform deployment targets.

---

21-31: Inspect Spec Parameters for PR Build
The top-level parameters—especially the output-image parameter using on-pr-{{revision}} (line 27) and the image-expires-after set to 5d (line 29)—are correctly differentiated from the push pipeline. Verify these values against your versioning and retention strategies.

---

32-37: Pipeline Description Clarity
The brief description in the pipelineSpec (lines 32–37) effectively communicates the pipeline’s purpose for pull request events. Confirm this description aligns with your broader documentation and intended use case.

---

38-51: Validate 'finally' Section – SBOM Task for PR
The show-sbom task (lines 38–51) mirrors the push pipeline’s configuration and correctly uses $(tasks.build-image-index.results.IMAGE_URL). Make sure this integration reliably produces the expected SBOM artifacts.

---

52-73: Validate 'finally' Section – Summary Task for PR
The show-summary task (lines 52–73) aggregates critical details using context variables. It is well integrated with the repository and build tasks. Double-check that the workspace and parameter mappings are consistent with your CI/CD requirements for pull requests.

---

74-130: Examine PipelineSpec Parameter Section
The parameters defined within the pipelineSpec (lines 74–130) are comprehensive and mirror those in the push pipeline—with defaults and types clearly stated. Please verify that these settings precisely support the pull request build logic.

---

595-618: Review TaskRunTemplate and Workspace Configuration
The taskRunTemplate (empty object) implies default behavior, and the subsequent workspace definitions—including a volume claim template for workspace and optional git-auth/netrc—are set up appropriately. Ensure that the storage and secret configurations meet your pipeline’s operational needs.

[rauhersu]

/retest

[rauhersu]

/retest

[rauhersu]

/retest

[rauhersu]

/retest

[rauhersu]

/retest

[rauhersu]

/retest

[rauhersu]

/retest

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.tekton/recert-4-19-pull-request.yaml (1)

423-461: Task “sast-coverity-check”

This task (lines 423–461) performs a Coverity static analysis and depends on a successful “coverity-availability-check”. For clarity, consider reordering its definition so that the “coverity-availability-check” task appears before this task in the YAML (even though Tekton uses runAfter for execution order).

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 430c8ac and 01994d1.

📒 Files selected for processing (2)

• .tekton/recert-4-19-pull-request.yaml (1 hunks)
• .tekton/recert-4-19-push.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .tekton/recert-4-19-push.yaml

🔇 Additional comments (26)

.tekton/recert-4-19-pull-request.yaml (26)

1-12: Metadata & Annotations Structure

The API version, kind, and metadata (including the repository annotations and CEL expression) are clearly defined. Please double-check that the multi‐line CEL expression (lines 11–12) behaves as intended in your Tekton environment.

---

21-37: Outer Spec Parameters and PipelineSpec Description

The outer spec parameters (lines 21–31) correctly supply dynamic values (e.g. git URL, revision, output image, dockerfile path). The subsequent pipelineSpec description (lines 32–37) is clear and informative. Ensure that the parameters defined here and later within pipelineSpec remain consistent.

---

38-70: Finally Block – Post-Build Tasks

The “finally” section (lines 38–70) includes the critical tasks “show-sbom” and “show-summary” that always execute, regardless of build success. Their parameter references (e.g. using results from previous tasks and context variables) look correct. Consider adding inline comments if further clarity is needed in the future.

---

74-94: Pipeline Parameters Definitions within pipelineSpec

The pipeline parameters (lines 74–94) are defined with descriptive defaults and types. Note that some defaults (e.g. for the dockerfile) differ from the outer spec—please verify that these intentional overrides meet your repository layout and build requirements.

---

131-142: Result Parameters Configuration

The result parameters (lines 131–142) properly capture outputs (such as IMAGE_URL, IMAGE_DIGEST, and Git commit info) from tasks. This configuration will support downstream tasks that rely on these results.

---

144-161: Task “init”

This task (lines 144–161) initializes the build setup by passing relevant parameters like the output image URL, rebuild flag, and skip-checks option. The Tekton bundle reference appears correct.

---

162-190: Task “clone-repository”

The “clone-repository” task (lines 162–190) is well-configured: it receives the git URL and revision, runs after “init”, and its conditional execution based on the build flag is clear.

---

189-216: Task “prefetch-dependencies”

The task (lines 189–216) handles dependency prefetching effectively by checking that the “prefetch-input” parameter is not empty. Its runAfter dependency on “clone-repository” is properly set.

---

216-252: Task “build-container”

This task (lines 216–252) uses parameters (IMAGE, DOCKERFILE, CONTEXT, etc.) for building the container image with buildah. One note: verify that the provided DOCKERFILE value (set to “.konflux/Dockerfile”) intentionally overrides any defaults and accurately reflects your repo structure.

---

256-284: Task “build-image-index”

The “build-image-index” task (lines 256–284) correctly creates an OCI image index by combining the image URL and digest. The parameter substitution (using the “@” separator) is neat and should work as expected.

---

285-309: Task “build-source-image”

This task (lines 285–309) conditionally builds a source image by checking both the build flag and the “build-source-image” parameter. The two “when” conditions ensure it runs only when intended.

---

312-332: Task “deprecated-base-image-check”

Task “deprecated-base-image-check” (lines 312–332) verifies if the base image is deprecated. Its configuration and condition (based on skip-checks) are appropriate.

---

334-354: Task “clair-scan”

The “clair-scan” task (lines 334–354) is properly set up to run vulnerability scans using Clair. The linkage to the image digest and URL is correct.

---

356-375: Task “ecosystem-cert-preflight-checks”

This task (lines 356–375) runs ecosystem certification preflight checks. Its dependency on the build-image-index and the skip-checks condition are properly defined.

---

376-392: Task “sast-snyk-check”

The “sast-snyk-check” task (lines 376–392) triggers a SAST scan using Snyk. The parameters and conditional execution based on skip-checks look good. It might be beneficial to periodically validate that the bundled Snyk task remains up to date with security advisories.

---

401-421: Task “clamav-scan”

Configured in lines 401–421, the “clamav-scan” task integrates antivirus scanning. Its use of the image digest and URL from the previous task is consistent.

---

469-486: Task “coverity-availability-check”

The “coverity-availability-check” task (lines 469–486) checks whether Coverity scanning can proceed. Its dependency on skip-checks being false is correctly implemented.

---

487-507: Task “sast-shell-check”

The “sast-shell-check” task (lines 487–507) inspects shell scripts for potential vulnerabilities. Its configuration is standard and matches expected parameters.

---

511-530: Task “sast-unicode-check”

Task “sast-unicode-check” (lines 511–530) is straightforward—it checks for issues related to Unicode characters. The setup and condition ensure it runs only when skip-checks is false.

---

534-548: Task “apply-tags”

This task (lines 534–548) applies tags to the built image. It correctly references the image URL from the “build-image-index” task.

---

550-569: Task “push-dockerfile”

The “push-dockerfile” task (lines 550–569) pushes the Dockerfile along with context parameters. Please ensure that the DOCKERFILE and CONTEXT values accurately match your repository layout.

---

573-594: Task “rpms-signature-scan”

Task “rpms-signature-scan” (lines 573–594) is aimed at verifying RPM signatures for the image. Its execution condition based on skip-checks is sound.

---

596-600: Pipeline Workspaces Configuration

The pipeline-level workspaces (lines 596–600) are defined with the expected workspaces (“workspace”, “git-auth”, and “netrc” marked as optional). This provides flexibility for tasks that require authentication or network runtime settings.

---

602-613: Persistent Volume Claim Template for Workspace

The volumeClaimTemplate (lines 602–613) allocates 1Gi storage with ReadWriteOnce access. This is adequate for intermediate build artifacts and shared workspaces.

---

614-617: Git-Auth Workspace Secret Reference

The git-auth workspace (lines 614–617) correctly employs a templated secret reference via {{ git_auth_secret }}. Ensure that the corresponding secret exists in the target namespace.

---

617-618: Status Initialization

The status field (lines 617–618) is initialized as an empty map, which is standard for new PipelineRun definitions.

[rauhersu]

superseded by: #182