feat(tkn-bundle-oci-ta): add STEPS_IMAGE_STEP_NAMES#3135
Draft
joejstuart wants to merge 1 commit intoconforma:mainfrom
Draft
feat(tkn-bundle-oci-ta): add STEPS_IMAGE_STEP_NAMES#3135joejstuart wants to merge 1 commit intoconforma:mainfrom
joejstuart wants to merge 1 commit intoconforma:mainfrom
Conversation
Add STEPS_IMAGE_STEP_NAMES parameter to build-tekton-bundle task in cli-main pull-request and push pipelineRuns. This limits STEPS_IMAGE replacement to steps using quay.io/conforma/cli:latest in verify-conforma-konflux-ta, leaving other task steps unchanged. Assisted-by: Claude Opus 4.6
Contributor
Review Summary by QodoAdd STEPS_IMAGE_STEP_NAMES parameter to Tekton bundle tasks
WalkthroughsDescription• Add STEPS_IMAGE_STEP_NAMES parameter to build-tekton-bundle task • Limits image replacement to specific steps in verify-conforma-konflux-ta • Update tkn-bundle-oci-ta task reference from 0.2 to 0.3 • Apply changes consistently across pull-request and push pipelines Diagramflowchart LR
A["build-tekton-bundle task"] -- "adds STEPS_IMAGE_STEP_NAMES parameter" --> B["Selective image replacement"]
A -- "updates task version" --> C["tkn-bundle-oci-ta:0.3"]
B -- "targets specific steps" --> D["verify-conforma-konflux-ta"]
File Changes1. .tekton/cli-main-pull-request.yaml
|
Contributor
Code Review by Qodo
1. Bad step-name filter
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+304
to
+305
| - name: STEPS_IMAGE_STEP_NAMES | ||
| value: !use-trusted-artifact |
Contributor
There was a problem hiding this comment.
1. Bad step-name filter 🐞 Bug ✓ Correctness
STEPS_IMAGE_STEP_NAMES is set to !use-trusted-artifact, which does not correspond to the steps that use quay.io/conforma/cli:latest, so the intended STEPS_IMAGE replacement likely won’t be applied to the conforma CLI steps. Additionally, the leading ! is YAML tag syntax unless quoted, so this may not be treated as the intended literal string value.
Agent Prompt
### Issue description
`STEPS_IMAGE_STEP_NAMES` is currently set to `!use-trusted-artifact`, which (a) is not one of the step names that actually use `quay.io/conforma/cli:latest` in `verify-conforma-konflux-ta`, and (b) uses a leading `!` that YAML can interpret as tag syntax unless quoted.
### Issue Context
In `tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml`, the steps using `quay.io/conforma/cli:latest` are `initialize-tuf`, `reduce`, and `validate`, while `use-trusted-artifact` uses a different image.
### Fix Focus Areas
- .tekton/cli-main-pull-request.yaml[304-305]
- .tekton/cli-main-push.yaml[306-307]
- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[243-286]
### Implementation notes
- Update `STEPS_IMAGE_STEP_NAMES` to the correct step name(s) (likely a list/string of `initialize-tuf`, `reduce`, `validate`) in the format required by `task-tkn-bundle-oci-ta`.
- Ensure the YAML value is a normal string scalar (quote if needed).
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+319
to
+320
| # need to add digest | ||
| value: quay.io/konflux-ci/tekton-catalog/task-tkn-bundle-oci-ta:0.3 |
Contributor
There was a problem hiding this comment.
2. Unpinned task bundle 🐞 Bug ⛨ Security
The tkn-bundle-oci-ta bundle reference was changed to a mutable tag (:0.3) without a digest, making CI non-reproducible and potentially pulling different task contents over time. This also breaks the existing pattern in these PipelineRuns where bundle-resolved tasks are digest-pinned.
Agent Prompt
### Issue description
`tkn-bundle-oci-ta` is referenced as `...:0.3` without an `@sha256:` digest, making the resolved task mutable and CI runs non-reproducible.
### Issue Context
These PipelineRuns already pin other bundle-resolved tasks by digest; `tkn-bundle-oci-ta` should follow the same pattern.
### Fix Focus Areas
- .tekton/cli-main-pull-request.yaml[318-320]
- .tekton/cli-main-push.yaml[320-322]
### Implementation notes
- Resolve the digest for `quay.io/konflux-ci/tekton-catalog/task-tkn-bundle-oci-ta:0.3` and update the `bundle:` value to include `@sha256:<digest>`.
- Remove the temporary comment once the digest is added.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add STEPS_IMAGE_STEP_NAMES parameter to build-tekton-bundle task in cli-main pull-request and push pipelineRuns. This limits STEPS_IMAGE replacement to steps using quay.io/conforma/cli:latest in verify-conforma-konflux-ta, leaving other task steps unchanged.
https://issues.redhat.com/browse/EC-1685
Assisted-by: Claude Opus 4.6