feat(EC-1941): add enterprise-contract pipeline definition#3416
feat(EC-1941): add enterprise-contract pipeline definition#3416joejstuart wants to merge 2 commits into
Conversation
Copy the enterprise-contract integration test pipeline definition from build-definitions into this repo alongside the existing task definitions. This establishes conforma/cli as the source of truth for maintaining the pipeline going forward. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 2:11 AM UTC · Completed 2:16 AM UTC |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds a Tekton ChangesEnterprise contract verification
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Pipeline
participant collect-keyless-params
participant verify-enterprise-contract
Pipeline->>collect-keyless-params: Collect keyless verification parameters
collect-keyless-params-->>Pipeline: Return OIDC, identity, TUF, and Rekor values
Pipeline->>verify-enterprise-contract: Pass collected values and pipeline parameters
verify-enterprise-contract-->>Pipeline: Return TEST_OUTPUT
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
pipelines/enterprise-contract/enterprise-contract.yaml (1)
96-97: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the Tekton task bundle ref. Both
taskRefentries still usequay.io/conforma/tekton-task:konflux; if that tag is republished, the pipeline can pick up different task code without any YAML change. Pinning the bundle digest would make the pipeline reproducible.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pipelines/enterprise-contract/enterprise-contract.yaml` around lines 96 - 97, Update both Tekton taskRef bundle references in the pipeline from the mutable quay.io/conforma/tekton-task:konflux tag to a fixed image digest. Keep the existing task reference structure and use the approved digest for the intended bundle version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pipelines/enterprise-contract/enterprise-contract.yaml`:
- Around line 1-4: Add the repository-standard license header at the beginning
of enterprise-contract.yaml, matching the exact format used by other pipeline
and task YAML files; preserve the existing pipeline description and
configuration unchanged.
- Around line 124-131: Update the environment-variable list for the
verify-enterprise-contract task to pass the collected buildIdentityRegexp result
as CERTIFICATE_IDENTITY_REGEXP, alongside CERTIFICATE_IDENTITY. Leave fulcioUrl
omitted and preserve the existing mappings.
---
Nitpick comments:
In `@pipelines/enterprise-contract/enterprise-contract.yaml`:
- Around line 96-97: Update both Tekton taskRef bundle references in the
pipeline from the mutable quay.io/conforma/tekton-task:konflux tag to a fixed
image digest. Keep the existing task reference structure and use the approved
digest for the intended bundle version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 726c6bde-78ab-4ee5-b565-1fd29a4d3f92
📒 Files selected for processing (1)
pipelines/enterprise-contract/enterprise-contract.yaml
| - name: CERTIFICATE_OIDC_ISSUER | ||
| value: "$(tasks.collect-keyless-params.results.defaultOIDCIssuer)" | ||
| - name: CERTIFICATE_IDENTITY | ||
| value: "$(tasks.collect-keyless-params.results.tektonChainsIdentity)" | ||
| - name: TUF_MIRROR | ||
| value: "$(tasks.collect-keyless-params.results.tufUrl)" | ||
| - name: REKOR_HOST | ||
| value: "$(tasks.collect-keyless-params.results.rekorUrl)" |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
rg -n 'CERTIFICATE_IDENTITY|FULCIO|REGEXP|keylessSigningEnabled' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yamlRepository: conforma/cli
Length of output: 1695
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== enterprise-contract pipeline =="
sed -n '1,220p' pipelines/enterprise-contract/enterprise-contract.yaml
echo
echo "== collect-keyless-params task =="
sed -n '1,220p' tasks/collect-keyless-params.yaml
echo
echo "== verify-enterprise-contract task =="
sed -n '1,240p' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
echo
echo "== search for collect-keyless-params results usage =="
rg -n 'defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl' pipelines tasks -g '!**/vendor/**'Repository: conforma/cli
Length of output: 6570
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== files of interest =="
git ls-files | rg 'enterprise-contract|collect-keyless-params|verify-enterprise-contract'
echo
echo "== search for keyless param outputs and regexp params =="
rg -n 'defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl|CERTIFICATE_IDENTITY_REGEXP|CERTIFICATE_OIDC_ISSUER_REGEXP' .
echo
echo "== pipeline consumers =="
rg -n 'tasks\.collect-keyless-params\.results\.(defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl)' pipelines tasksRepository: conforma/cli
Length of output: 30586
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== collect-keyless-params task =="
sed -n '1,240p' tasks/collect-keyless-params/0.1/collect-keyless-params.yaml
echo
echo "== verify-enterprise-contract task params/results =="
sed -n '1,160p' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
echo
echo "== docs for collect-keyless-params =="
sed -n '1,120p' docs/modules/ROOT/pages/collect-keyless-params.adoc
echo
echo "== docs for verify-enterprise-contract =="
sed -n '1,120p' docs/modules/ROOT/pages/verify-enterprise-contract.adoc
echo
echo "== other uses of buildIdentityRegexp / fulcioUrl =="
rg -n 'buildIdentityRegexp|fulcioUrl|CERTIFICATE_IDENTITY_REGEXP|CERTIFICATE_OIDC_ISSUER_REGEXP' docs tasks pipelines features internalRepository: conforma/cli
Length of output: 31092
Pass buildIdentityRegexp through to verify-enterprise-contract. The task already accepts CERTIFICATE_IDENTITY_REGEXP, so this pipeline is dropping one of the collected keyless results today. fulcioUrl has no matching param here and can stay omitted.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pipelines/enterprise-contract/enterprise-contract.yaml` around lines 124 -
131, Update the environment-variable list for the verify-enterprise-contract
task to pass the collected buildIdentityRegexp result as
CERTIFICATE_IDENTITY_REGEXP, alongside CERTIFICATE_IDENTITY. Leave fulcioUrl
omitted and preserve the existing mappings.
Review — commentThis PR adds a Tekton v1 Pipeline definition at Findings1. CI coverage gap — pipeline YAML excluded from tekton-lint ·
|
| # | Severity | Category | File | Description |
|---|---|---|---|---|
| 1 | low | style/conventions | pipelines/enterprise-contract/enterprise-contract.yaml |
Missing Apache 2.0 license header. All three task YAML files in tasks/ include the standard copyright header (Copyright The Conforma Contributors, Apache-2.0, SPDX identifier). This new pipeline file omits it. Consider adding the header for consistency. |
Labels: PR adds a new Tekton Pipeline definition
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 2:27 AM UTC · Completed 2:39 AM UTC |
| resolver: bundles | ||
| params: | ||
| - name: bundle | ||
| value: quay.io/conforma/tekton-task:konflux |
There was a problem hiding this comment.
[medium] supply-chain
Both taskRef bundle references use the mutable tag quay.io/conforma/tekton-task:konflux. Tag mutation (accidental or malicious) would silently substitute a different task definition running with the pipeline's service-account privileges. This is a pre-existing pattern in the repo (release/cli.yaml uses :latest) but remains a supply-chain integrity concern.
Suggested fix: Consider pinning to an immutable digest (quay.io/conforma/tekton-task@sha256:) or documenting the acceptance of floating tags for this use case.
| # | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| # The purpose of this pipeline is to execute the verify-enterprise-contract-v2 task for container |
There was a problem hiding this comment.
[low] documentation-accuracy
Comment references 'verify-enterprise-contract-v2 task' but the actual taskRef resolves 'verify-enterprise-contract' (no -v2 suffix). No task named verify-enterprise-contract-v2 exists in the repository.
Suggested fix: Change the comment from 'verify-enterprise-contract-v2' to 'verify-enterprise-contract'.
| @@ -0,0 +1,172 @@ | |||
| # Copyright The Conforma Contributors | |||
There was a problem hiding this comment.
[low] file-header-format
All other Tekton YAML files in the repository (tasks and release/cli.yaml) begin with the YAML document start marker '---'. The new file starts directly with the license comment, breaking this convention.
Suggested fix: Add '---' as the first line of the file.
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Summary
pipelines/enterprise-contract/enterprise-contract.yaml— Tekton v1 Pipeline withcollect-keyless-paramsandverify-enterprise-contracttasksquay.io/conforma/tekton-task:konfluxbundle for both tasksResolves: EC-1941
Test plan
tkn bundle push🤖 Generated with Claude Code