Skip to content

feat(EC-1941): add enterprise-contract pipeline definition#3416

Open
joejstuart wants to merge 2 commits into
conforma:mainfrom
joejstuart:EC-1941
Open

feat(EC-1941): add enterprise-contract pipeline definition#3416
joejstuart wants to merge 2 commits into
conforma:mainfrom
joejstuart:EC-1941

Conversation

@joejstuart

Copy link
Copy Markdown
Contributor

Summary

  • Add pipelines/enterprise-contract/enterprise-contract.yaml — Tekton v1 Pipeline with collect-keyless-params and verify-enterprise-contract tasks
  • Copied from build-definitions upstream/main without modification
  • Pipeline references quay.io/conforma/tekton-task:konflux bundle for both tasks

Resolves: EC-1941

Test plan

  • Pipeline YAML is valid and matches build-definitions source
  • Verify pipeline can be bundled and pushed via tkn bundle push
  • EC-1942 will add publishing automation

🤖 Generated with Claude Code

Copy the enterprise-contract integration test pipeline definition from
build-definitions into this repo alongside the existing task definitions.
This establishes conforma/cli as the source of truth for maintaining the
pipeline going forward.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:11 AM UTC · Completed 2:16 AM UTC
Commit: 87c4a29 · View workflow run →

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: aae749ba-ca77-444e-a39c-375532e9b7ba

📥 Commits

Reviewing files that changed from the base of the PR and between 106203e and 26ae6a8.

📒 Files selected for processing (1)
  • pipelines/enterprise-contract/enterprise-contract.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • pipelines/enterprise-contract/enterprise-contract.yaml

📝 Walkthrough

Walkthrough

Adds a Tekton enterprise-contract pipeline that collects keyless verification parameters, runs enterprise contract verification with configured inputs, forces IGNORE_REKOR, exposes TEST_OUTPUT, and applies a four-hour task timeout.

Changes

Enterprise contract verification

Layer / File(s) Summary
Pipeline contract
pipelines/enterprise-contract/enterprise-contract.yaml
Declares pipeline parameters for snapshot verification and maps the verification task output to TEST_OUTPUT.
Verification execution
pipelines/enterprise-contract/enterprise-contract.yaml
Runs collect-keyless-params before verify-enterprise-contract, propagates collected and configured values, forces IGNORE_REKOR to "true", and sets a four-hour timeout.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Pipeline
  participant collect-keyless-params
  participant verify-enterprise-contract
  Pipeline->>collect-keyless-params: Collect keyless verification parameters
  collect-keyless-params-->>Pipeline: Return OIDC, identity, TUF, and Rekor values
  Pipeline->>verify-enterprise-contract: Pass collected values and pipeline parameters
  verify-enterprise-contract-->>Pipeline: Return TEST_OUTPUT
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the addition of an enterprise-contract pipeline definition, which matches the changeset.
Description check ✅ Passed The description accurately describes the new pipeline file, its tasks, and its source, all matching the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
pipelines/enterprise-contract/enterprise-contract.yaml (1)

96-97: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the Tekton task bundle ref. Both taskRef entries still use quay.io/conforma/tekton-task:konflux; if that tag is republished, the pipeline can pick up different task code without any YAML change. Pinning the bundle digest would make the pipeline reproducible.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipelines/enterprise-contract/enterprise-contract.yaml` around lines 96 - 97,
Update both Tekton taskRef bundle references in the pipeline from the mutable
quay.io/conforma/tekton-task:konflux tag to a fixed image digest. Keep the
existing task reference structure and use the approved digest for the intended
bundle version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pipelines/enterprise-contract/enterprise-contract.yaml`:
- Around line 1-4: Add the repository-standard license header at the beginning
of enterprise-contract.yaml, matching the exact format used by other pipeline
and task YAML files; preserve the existing pipeline description and
configuration unchanged.
- Around line 124-131: Update the environment-variable list for the
verify-enterprise-contract task to pass the collected buildIdentityRegexp result
as CERTIFICATE_IDENTITY_REGEXP, alongside CERTIFICATE_IDENTITY. Leave fulcioUrl
omitted and preserve the existing mappings.

---

Nitpick comments:
In `@pipelines/enterprise-contract/enterprise-contract.yaml`:
- Around line 96-97: Update both Tekton taskRef bundle references in the
pipeline from the mutable quay.io/conforma/tekton-task:konflux tag to a fixed
image digest. Keep the existing task reference structure and use the approved
digest for the intended bundle version.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 726c6bde-78ab-4ee5-b565-1fd29a4d3f92

📥 Commits

Reviewing files that changed from the base of the PR and between 33b9c36 and 106203e.

📒 Files selected for processing (1)
  • pipelines/enterprise-contract/enterprise-contract.yaml

Comment thread pipelines/enterprise-contract/enterprise-contract.yaml
Comment on lines +124 to +131
- name: CERTIFICATE_OIDC_ISSUER
value: "$(tasks.collect-keyless-params.results.defaultOIDCIssuer)"
- name: CERTIFICATE_IDENTITY
value: "$(tasks.collect-keyless-params.results.tektonChainsIdentity)"
- name: TUF_MIRROR
value: "$(tasks.collect-keyless-params.results.tufUrl)"
- name: REKOR_HOST
value: "$(tasks.collect-keyless-params.results.rekorUrl)"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n 'CERTIFICATE_IDENTITY|FULCIO|REGEXP|keylessSigningEnabled' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

Repository: conforma/cli

Length of output: 1695


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== enterprise-contract pipeline =="
sed -n '1,220p' pipelines/enterprise-contract/enterprise-contract.yaml

echo
echo "== collect-keyless-params task =="
sed -n '1,220p' tasks/collect-keyless-params.yaml

echo
echo "== verify-enterprise-contract task =="
sed -n '1,240p' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

echo
echo "== search for collect-keyless-params results usage =="
rg -n 'defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl' pipelines tasks -g '!**/vendor/**'

Repository: conforma/cli

Length of output: 6570


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== files of interest =="
git ls-files | rg 'enterprise-contract|collect-keyless-params|verify-enterprise-contract'

echo
echo "== search for keyless param outputs and regexp params =="
rg -n 'defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl|CERTIFICATE_IDENTITY_REGEXP|CERTIFICATE_OIDC_ISSUER_REGEXP' .

echo
echo "== pipeline consumers =="
rg -n 'tasks\.collect-keyless-params\.results\.(defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl)' pipelines tasks

Repository: conforma/cli

Length of output: 30586


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== collect-keyless-params task =="
sed -n '1,240p' tasks/collect-keyless-params/0.1/collect-keyless-params.yaml

echo
echo "== verify-enterprise-contract task params/results =="
sed -n '1,160p' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

echo
echo "== docs for collect-keyless-params =="
sed -n '1,120p' docs/modules/ROOT/pages/collect-keyless-params.adoc

echo
echo "== docs for verify-enterprise-contract =="
sed -n '1,120p' docs/modules/ROOT/pages/verify-enterprise-contract.adoc

echo
echo "== other uses of buildIdentityRegexp / fulcioUrl =="
rg -n 'buildIdentityRegexp|fulcioUrl|CERTIFICATE_IDENTITY_REGEXP|CERTIFICATE_OIDC_ISSUER_REGEXP' docs tasks pipelines features internal

Repository: conforma/cli

Length of output: 31092


Pass buildIdentityRegexp through to verify-enterprise-contract. The task already accepts CERTIFICATE_IDENTITY_REGEXP, so this pipeline is dropping one of the collected keyless results today. fulcioUrl has no matching param here and can stay omitted.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipelines/enterprise-contract/enterprise-contract.yaml` around lines 124 -
131, Update the environment-variable list for the verify-enterprise-contract
task to pass the collected buildIdentityRegexp result as
CERTIFICATE_IDENTITY_REGEXP, alongside CERTIFICATE_IDENTITY. Leave fulcioUrl
omitted and preserve the existing mappings.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review — comment

This PR adds a Tekton v1 Pipeline definition at pipelines/enterprise-contract/enterprise-contract.yaml containing two tasks: collect-keyless-params and verify-enterprise-contract, both resolved from the quay.io/conforma/tekton-task:konflux bundle. The pipeline params correctly map to the downstream task params, and the collect-keyless-params result references (defaultOIDCIssuer, tektonChainsIdentity, tufUrl, rekorUrl) match the task's declared results. No critical or high-severity issues were found.

Findings

1. CI coverage gap — pipeline YAML excluded from tekton-lint · medium

The Makefile tekton-lint target (line 250) uses $(wildcard tasks/*/*/*.yaml), which only matches files under tasks/. The new pipelines/enterprise-contract/enterprise-contract.yaml will never be linted, even though .tektonlintrc.yaml already configures pipeline-specific rules (no-pipeline-missing-parameters, no-pipeline-missing-task, no-pipeline-task-cycle).

Remediation: Update the tekton-lint target to also glob pipelines/*/*.yaml and verify the new pipeline passes tekton-lint --max-warnings=0 before merging.

2. Mutable tag on task bundle references · medium

Both taskRef entries reference quay.io/conforma/tekton-task:konflux — a mutable registry tag. Tag mutation (accidental or malicious) would silently substitute a different task definition that runs with the pipeline's service-account privileges. The repo's existing release pipeline (release/cli.yaml) uses :latest, so floating tags are a pre-existing pattern, but this remains a supply-chain integrity concern per SLSA.

Remediation: Consider pinning to an immutable digest (quay.io/conforma/tekton-task@sha256:<digest>) or documenting the acceptance of floating tags for this use case.

3. No upstream provenance tracking for vendored content · medium

The PR description states the file was "copied from build-definitions upstream/main without modification," but the file itself contains no upstream source reference — no repo URL, branch, or commit SHA. The existing hack/update-build-definitions.sh pushes task bundle references FROM this repo INTO a build-definitions clone, but there is no mechanism to sync pipeline definitions in the other direction. Over time this copy will silently drift from upstream.

Remediation: Add a header comment noting the exact upstream source (repo URL, commit SHA) and consider adding a sync check script or CI step.

4. Inaccurate comment — "verify-enterprise-contract-v2" · low

Line 17 references "verify-enterprise-contract-v2 task" but the actual taskRef (line 163) resolves verify-enterprise-contract (no -v2 suffix). No task named verify-enterprise-contract-v2 exists in the repository.

Remediation: Change the comment to reference verify-enterprise-contract.

5. Missing YAML document start marker · low

All other Tekton YAML files in the repository — both tasks (tasks/*/0.1/*.yaml) and the existing pipeline (release/cli.yaml) — begin with ---. The new file starts directly with the license comment block, breaking this convention.

Remediation: Add --- as the first line of the file.

Notes

  • Correctness: Pipeline params map correctly to task params. The collect-keyless-params result references are accurate. The IGNORE_REKOR: "true" is safely overridden by the verify task when keyless CERTIFICATE_* params are present.
  • Security: No hardcoded secrets or injection concerns. The PUBLIC_KEY default uses the standard k8s:// Tekton mechanism. No prompt injection or Unicode steganography detected.
  • Cross-repo contracts: No existing exported interfaces are modified. The pipeline is a new additive resource with no current consumers.
  • Documentation: The docs site (docs/modules/ROOT/pages/tasks.adoc, release-process.adoc) covers only tasks. Follow-up documentation to cover the new pipeline resource type is advisable once EC-1942 adds publishing automation.

Labels: PR adds Tekton pipeline tooling artifact to the repository.

Previous run

Review of #3416 — feat(EC-1941): add enterprise-contract pipeline definition

Verdict: approve

Summary

This PR adds a new Tekton v1 Pipeline definition at pipelines/enterprise-contract/enterprise-contract.yaml that orchestrates two tasks already defined in this repo: collect-keyless-params and verify-enterprise-contract. The pipeline collects keyless signing parameters from a Konflux cluster ConfigMap, then runs Conforma verification against container images.

The change is well-scoped, correct, and safe to merge.

Correctness

The pipeline is structurally sound:

  • Parameter mapping is correct — all 13 pipeline params are properly forwarded to the verify task. The SNAPSHOT pipeline param maps to the task's IMAGES param, and all others match by name.
  • Task result consumption is correct — collect-keyless-params results (defaultOIDCIssuer, tektonChainsIdentity, tufUrl, rekorUrl) are properly threaded into the verify task via $(tasks.collect-keyless-params.results.*) interpolation.
  • Pipeline result TEST_OUTPUT correctly references $(tasks.verify.results.TEST_OUTPUT).
  • Task ordering is correct — verify declares runAfter: [collect-keyless-params].
  • Task parameters not exposed at the pipeline level (CERTIFICATE_*_REGEXP, INFO, HOMEDIR, POLICY_BUNDLE_DIGEST, retry params, EC_USE_OPA, SINGLE_COMPONENT_CUSTOM_RESOURCE_NS) all have sensible defaults in the task definition.

Security

No concerns. No secrets or credentials are embedded. The quay.io/conforma/tekton-task:konflux bundle tag is a floating reference, but this is consistent with the project's existing patterns for task bundles.

Findings

# Severity Category File Description
1 low style/conventions pipelines/enterprise-contract/enterprise-contract.yaml Missing Apache 2.0 license header. All three task YAML files in tasks/ include the standard copyright header (Copyright The Conforma Contributors, Apache-2.0, SPDX identifier). This new pipeline file omits it. Consider adding the header for consistency.

Labels: PR adds a new Tekton Pipeline definition

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge feature labels Jul 16, 2026
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:27 AM UTC · Completed 2:39 AM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

resolver: bundles
params:
- name: bundle
value: quay.io/conforma/tekton-task:konflux

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] supply-chain

Both taskRef bundle references use the mutable tag quay.io/conforma/tekton-task:konflux. Tag mutation (accidental or malicious) would silently substitute a different task definition running with the pipeline's service-account privileges. This is a pre-existing pattern in the repo (release/cli.yaml uses :latest) but remains a supply-chain integrity concern.

Suggested fix: Consider pinning to an immutable digest (quay.io/conforma/tekton-task@sha256:) or documenting the acceptance of floating tags for this use case.

#
# SPDX-License-Identifier: Apache-2.0

# The purpose of this pipeline is to execute the verify-enterprise-contract-v2 task for container

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] documentation-accuracy

Comment references 'verify-enterprise-contract-v2 task' but the actual taskRef resolves 'verify-enterprise-contract' (no -v2 suffix). No task named verify-enterprise-contract-v2 exists in the repository.

Suggested fix: Change the comment from 'verify-enterprise-contract-v2' to 'verify-enterprise-contract'.

@@ -0,0 +1,172 @@
# Copyright The Conforma Contributors

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] file-header-format

All other Tekton YAML files in the repository (tasks and release/cli.yaml) begin with the YAML document start marker '---'. The new file starts directly with the license comment, breaking this convention.

Suggested fix: Add '---' as the first line of the file.

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment tooling and removed ready-for-merge All reviewers approved — ready to merge labels Jul 16, 2026
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 54.26% <ø> (+<0.01%) ⬆️
generative 16.80% <ø> (ø)
integration 27.97% <ø> (ø)
unit 71.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant