chore(KONFLUX-6210): fix and set name and cpe label for recert

[fontivan]

For https://issues.redhat.com/browse/KONFLUX-6210, clair needs access to a name and cpe label that it can use to look up the image in VEX statements.

See also release-engineering/rhtap-ec-policy#149

Based on original changes from @rbean in our other operator repos

Assisted-by: Gemini

Summary by CodeRabbit

• New Features

  • Add support for custom container image labels via a new pipeline parameter.
  • Include a standardized CPE label for OpenShift 4.20 on EL9 in built images.

• Chores

  • Update build and run configurations to pass additional labels to image builds.
  • Replace a previously hard-coded image label with the new configurable approach.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fontivan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [fontivan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds a new array parameter additional-labels to the Tekton build pipeline and passes it through PipelineRuns for PR and push. Updates the image build step to include values from this parameter and replaces a hard-coded label with a new cpe label.

Changes

Cohort / File(s)	Summary of Changes
Pipeline spec update \.tekton/build-pipeline.yaml	Adds pipeline param additional-labels (array, default []); updates build-images LABELS to include $(params.additional-labels[*]); replaces static label name=openshift4/recert-rhel9 with cpe="cpe:/a:redhat:openshift:4.20::el9".
PipelineRun (PR) \.tekton/recert-4-20-pull-request.yaml	Passes additional-labels param with value list: ["name=openshift4/recert-rhel9"].
PipelineRun (push) \.tekton/recert-4-20-push.yaml	Passes additional-labels param with value list including openshift4/recert-rhel9.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer/Trigger
    participant PR as PipelineRun (PR/Push)
    participant PL as Pipeline (build-pipeline)
    participant BI as Task: build-images
    participant REG as Image Registry

    Dev->>PR: Create/Run PipelineRun\n(with params.additional-labels)
    PR->>PL: Start pipeline\n(pass additional-labels)
    PL->>BI: Execute build-images\n(LABELS += additional-labels,\nreplace static label with CPE)
    BI->>REG: Push built image\n(with computed labels)
    REG-->>Dev: Image available (labels applied)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• CNF-15329: Fix conforma failures #202 — Also modifies image labeling flow in .tekton/build-pipeline.yaml, aligning with parameterizing labels.
• Upversion Konflux references from 4.19/4-19 to 4.20/4-20 #206 — Updates LABELS array in .tekton/build-pipeline.yaml for 4.20, closely related to label adjustments here.

Suggested labels

lgtm

Suggested reviewers

• omertuc
• mresvanis

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly and concisely summarizes the main change by stating that the PR fixes and sets the name and CPE label for the recert image, aligning directly with the modifications to pipeline labels described in the diff. It uses a conventional commit prefix to reference the issue without introducing unnecessary detail or ambiguity.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98ed3f6 and ede97a5.

📒 Files selected for processing (3)

• .tekton/build-pipeline.yaml (2 hunks)
• .tekton/recert-4-20-pull-request.yaml (1 hunks)
• .tekton/recert-4-20-push.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / recert-4-20-on-pull-request
• GitHub Check: build

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove the quotes from the CPE label value.
Passing cpe="cpe:/a:redhat:openshift:4.20::el9" pushes the literal quotes through to buildah config --label, so the resulting image label becomes "cpe:/a:redhat:openshift:4.20::el9" instead of the bare CPE string Clair expects. Drop the inner quotes so the value is cpe:/a:redhat:openshift:4.20::el9.

🤖 Prompt for AI Agents

In .tekton/build-pipeline.yaml around lines 257 to 264 the CPE label is written
as cpe="cpe:/a:redhat:openshift:4.20::el9" which preserves literal quotes into
buildah config; remove the inner quotes so the label is
cpe:/a:redhat:openshift:4.20::el9 (i.e. change that list entry to the unquoted
CPE string) so the image label contains the bare CPE value Clair expects.