Red Hat Konflux kflux-prd-rh02 update hyperfleet-adapter

[red-hat-konflux-kflux-prd-rh02]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ciaranroche for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Chores
  • Added automated build pipelines for container images triggered on push events and version tags
  • Implemented security scanning and compliance checks including vulnerability assessments, artifact verification, and image analysis
  • Container images are automatically built, tagged, and published following defined pipeline workflows

Walkthrough

This pull request adds two Tekton PipelineRun manifests to automate container image builds and security scanning for the hyperfleet-adapter. The push-triggered pipeline (.tekton/hyperfleet-adapter-push.yaml) builds and publishes on commits to the main branch, while the tag-triggered pipeline (.tekton/hyperfleet-adapter-tag.yaml) builds and publishes on semantic version tags. Both pipelines follow a consistent task flow: initialize build environment, clone repository, prefetch dependencies, build container image via Buildah, generate image indices, run conditional security scans (Clair, SAST, ClamAV, ecosystem cert checks), and promote artifacts (tag application, Dockerfile push, RPM signature validation). The tag pipeline includes additional version extraction from git tags to inject semantic versioning into build arguments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding/updating hyperfleet-adapter Tekton PipelineRun manifests for Red Hat Konflux in the kflux-prd-rh02 environment.
Description check	✅ Passed	The description is related to the changeset, explaining that this is a Pipelines as Code configuration proposal and providing instructions for triggering and customizing the PipelineRuns.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-hyperfleet-adapter

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ciaranRoche]

/ok-to-test

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/hyperfleet-adapter-tag.yaml:
- Line 159: Replace the floating tag in the inline Tekton task image declaration
(the line starting with "image: registry.access.redhat.com/ubi9-minimal:latest")
with a pinned digest reference
(registry.access.redhat.com/ubi9-minimal@sha256:<digest>) so builds are
reproducible; obtain the current sha256 digest (e.g. via skopeo inspect
docker://registry.access.redhat.com/ubi9-minimal:latest | jq -r '.Digest') and
update the image value accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 937f157a-b030-4443-bd94-9d41cd3efde4

📥 Commits

Reviewing files that changed from the base of the PR and between ede8299 and 5a89070.

📒 Files selected for processing (1)

• .tekton/hyperfleet-adapter-tag.yaml

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider pinning the base image for reproducibility.

Using :latest tag can lead to non-reproducible builds if the base image changes. Since all external task bundles in this pipeline use pinned sha256 digests, consider pinning this inline task image as well for consistency.

♻️ Suggested pin example

-          image: registry.access.redhat.com/ubi9-minimal:latest
+          image: registry.access.redhat.com/ubi9-minimal:9.4@sha256:<digest>

You can find the current digest with:

skopeo inspect docker://registry.access.redhat.com/ubi9-minimal:latest | jq -r '.Digest'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-adapter-tag.yaml at line 159, Replace the floating tag in
the inline Tekton task image declaration (the line starting with "image:
registry.access.redhat.com/ubi9-minimal:latest") with a pinned digest reference
(registry.access.redhat.com/ubi9-minimal@sha256:<digest>) so builds are
reproducible; obtain the current sha256 digest (e.g. via skopeo inspect
docker://registry.access.redhat.com/ubi9-minimal:latest | jq -r '.Digest') and
update the image value accordingly.

[ciaranRoche]

/ok-to-test