Red Hat Konflux update hive-mce-50

[red-hat-konflux]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

Summary by CodeRabbit

• Chores
  • Added CI/CD pipeline configurations to automate multi-platform container builds with integrated security scanning and validation workflows.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new Tekton PipelineRun manifests introduce CI/CD workflow definitions for the hive-mce-50 project. Both pipelines orchestrate multi-platform container image builds, dependency prefetching, security scanning (clair-scan, snyk, SAST checks), and artifact propagation through OCI storage with conditional execution paths.

Changes

Cohort / File(s)

Summary

Tekton PipelineRun Manifests .tekton/hive-mce-50-pull-request.yaml, .tekton/hive-mce-50-push.yaml

Two new PipelineRun configurations defining multi-stage build workflows with init, repository cloning, dependency prefetching, matrix-driven multi-platform image builds, optional security checks (deprecated base image, clair-scan, snyk, SAST, ecosystem cert checks), tagging, and artifact propagation via OCI storage. Both include task sequencing, conditional execution guards, workspace bindings, and result exports for downstream tasks.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hop, hop! A pipeline so grand,
Multi-platforms across the land!
From clone to scan, from build to push,
Security checks without a hush. ✨
The Tekton tasks dance in a row,
Watch the artifacts flow, flow, flow!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is vague and generic, using 'update' without specifying what was changed in the Konflux configuration.	Consider a more descriptive title like 'Add Tekton PipelineRun manifests for hive-mce-50 Konflux CI/CD' to clarify the primary change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux-hive-mce-50

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign jstuever for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

🧹 Nitpick comments (4)

.tekton/hive-mce-50-push.yaml (2)

609-613: Consider binding the netrc workspace if needed for dependency prefetching.

The netrc workspace is declared as optional in the pipelineSpec (line 605-606) and used by the prefetch-dependencies task, but it's not bound in the spec-level workspaces. If private dependencies require netrc authentication, you'll need to add a binding here.

♻️ Optional: Add netrc workspace binding if needed

   workspaces:
   - name: git-auth
     secret:
       secretName: '{{ git_auth_secret }}'
+  - name: netrc
+    secret:
+      secretName: '{{ netrc_secret }}'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/hive-mce-50-push.yaml around lines 609 - 613, The pipeline spec
currently binds only the git-auth workspace (workspaces: - name: git-auth
secret: secretName: '{{ git_auth_secret }}') but omits the optional netrc
workspace used by the prefetch-dependencies task; if private dependency
prefetching requires netrc auth, add a spec-level workspace binding named netrc
(pointing to the appropriate secret/volume) so the prefetch-dependencies task
can access .netrc at runtime, ensuring the workspace name matches the declared
optional workspace in pipelineSpec and the task's workspace reference.

---

91-93: Missing type declaration for enable-cache-proxy parameter.

This parameter is missing an explicit type: string declaration, unlike all other parameters in the pipelineSpec. While Tekton defaults to string type, this inconsistency reduces clarity.

♻️ Suggested fix

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/hive-mce-50-push.yaml around lines 91 - 93, The pipeline parameter
"enable-cache-proxy" in the pipelineSpec is missing an explicit type; add a
"type: string" declaration to the parameter block for enable-cache-proxy
(alongside its existing name, description and default) to match the other
parameters and improve clarity and consistency in .tekton/hive-mce-50-push.yaml.

.tekton/hive-mce-50-pull-request.yaml (2)

94-96: Missing type declaration for enable-cache-proxy parameter.

Same issue as in the push pipeline - this parameter lacks an explicit type: string declaration for consistency with other parameters.

♻️ Suggested fix

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/hive-mce-50-pull-request.yaml around lines 94 - 96, The parameter
"enable-cache-proxy" is missing an explicit type declaration; update the
parameter block for enable-cache-proxy to include type: string (matching other
pipeline params), e.g., add a line setting type: string alongside the existing
description and default so the parameter definition for enable-cache-proxy
explicitly declares its type.

---

612-616: Consider binding the netrc workspace if needed (same as push pipeline).

For consistency with the push pipeline review: if private dependencies require netrc authentication, add the binding here as well.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/hive-mce-50-pull-request.yaml around lines 612 - 616, Add a
workspace binding for netrc in the same workspaces block to match the push
pipeline so private git deps can authenticate; specifically add an entry with
name: netrc and a secret mapping (e.g., secret: { secretName: '{{
git_auth_secret }}' } or the equivalent netrc secret used in the push pipeline)
alongside the existing git-auth entry so the pipeline/task that expects a netrc
workspace can find credentials.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.tekton/hive-mce-50-pull-request.yaml:
- Around line 94-96: The parameter "enable-cache-proxy" is missing an explicit
type declaration; update the parameter block for enable-cache-proxy to include
type: string (matching other pipeline params), e.g., add a line setting type:
string alongside the existing description and default so the parameter
definition for enable-cache-proxy explicitly declares its type.
- Around line 612-616: Add a workspace binding for netrc in the same workspaces
block to match the push pipeline so private git deps can authenticate;
specifically add an entry with name: netrc and a secret mapping (e.g., secret: {
secretName: '{{ git_auth_secret }}' } or the equivalent netrc secret used in the
push pipeline) alongside the existing git-auth entry so the pipeline/task that
expects a netrc workspace can find credentials.

In @.tekton/hive-mce-50-push.yaml:
- Around line 609-613: The pipeline spec currently binds only the git-auth
workspace (workspaces: - name: git-auth secret: secretName: '{{ git_auth_secret
}}') but omits the optional netrc workspace used by the prefetch-dependencies
task; if private dependency prefetching requires netrc auth, add a spec-level
workspace binding named netrc (pointing to the appropriate secret/volume) so the
prefetch-dependencies task can access .netrc at runtime, ensuring the workspace
name matches the declared optional workspace in pipelineSpec and the task's
workspace reference.
- Around line 91-93: The pipeline parameter "enable-cache-proxy" in the
pipelineSpec is missing an explicit type; add a "type: string" declaration to
the parameter block for enable-cache-proxy (alongside its existing name,
description and default) to match the other parameters and improve clarity and
consistency in .tekton/hive-mce-50-push.yaml.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b0f7c524-8c96-42a3-89b5-8fec234d723d

📥 Commits

Reviewing files that changed from the base of the PR and between 4f955dc and 58b1886.

📒 Files selected for processing (2)

• .tekton/hive-mce-50-pull-request.yaml
• .tekton/hive-mce-50-push.yaml