Red Hat Konflux kflux-prd-rh02 update hyperfleet-sentinel

[red-hat-konflux-kflux-prd-rh02]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rh-amarin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Chores
  • Added automated CI/CD pipelines for hyperfleet-sentinel that trigger on code pushes to the main branch and on version tag creation, including containerized image building, comprehensive security scanning, and artifact publishing.

Walkthrough

This PR adds two new Tekton PipelineRun manifests to automate building and publishing the hyperfleet-sentinel container image. The push-triggered pipeline executes on commits to the main branch, while the tag-triggered pipeline executes on version tag pushes matching refs/tags/vX.Y.Z. Both pipelines orchestrate a sequence of tasks: repository initialization, cloning, optional dependency prefetching, buildah-based container image construction, optional source image generation, and conditional security/compliance scanning (including deprecated base image checks, Clair vulnerability scanning, ecosystem cert preflight validation, SAST analysis via Snyk and shell/unicode checks, ClamAV scanning, and RPM signature verification). After security checks, both pipelines apply image tags and push Dockerfile artifacts. The pipelines declare optional workspaces for Git authentication and netrc credentials, and bind a dedicated service account for task execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title mentions 'Red Hat Konflux kflux-prd-rh02 update hyperfleet-sentinel' which relates to adding Konflux CI/CD pipeline configuration, but it is vague about the specific changes (two new Tekton PipelineRun manifests for push and tag events).
Description check	✅ Passed	The description is related to the changeset as it discusses Pipelines as Code configuration, though it is generic and does not detail the specific push/tag pipeline manifests being added.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-hyperfleet-sentinel

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/hyperfleet-sentinel-pull-request.yaml:
- Around line 91-93: The parameter "enable-cache-proxy" is missing an explicit
type; add a line "type: string" under the parameter definition so it matches the
style used in push.yaml and other parameters (keep the existing default and
description and ensure indentation matches surrounding parameters); update the
block that currently contains name: enable-cache-proxy to include type: string.

In @.tekton/hyperfleet-sentinel-push.yaml:
- Around line 88-90: The parameter entry for enable-cache-proxy is missing an
explicit type; update the parameter block that contains name: enable-cache-proxy
and default: "false" to include type: string so it matches the other string
parameters and keeps parameter definitions consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 785296fb-042a-4b7a-8332-2d80f5c5ad07

📥 Commits

Reviewing files that changed from the base of the PR and between 36b9830 and 491b702.

📒 Files selected for processing (2)

• .tekton/hyperfleet-sentinel-pull-request.yaml
• .tekton/hyperfleet-sentinel-push.yaml

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Missing type: string for enable-cache-proxy parameter (same as push.yaml).

For consistency with the push pipeline and other parameters in this file, add the explicit type declaration.

♻️ Suggested fix

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	type: string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-sentinel-pull-request.yaml around lines 91 - 93, The
parameter "enable-cache-proxy" is missing an explicit type; add a line "type:
string" under the parameter definition so it matches the style used in push.yaml
and other parameters (keep the existing default and description and ensure
indentation matches surrounding parameters); update the block that currently
contains name: enable-cache-proxy to include type: string.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Missing type: string for enable-cache-proxy parameter.

This parameter is missing the explicit type declaration that all other string parameters have. While Tekton infers string as the default type, adding it maintains consistency with the rest of the parameter definitions.

♻️ Suggested fix

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	type: string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-sentinel-push.yaml around lines 88 - 90, The parameter
entry for enable-cache-proxy is missing an explicit type; update the parameter
block that contains name: enable-cache-proxy and default: "false" to include
type: string so it matches the other string parameters and keeps parameter
definitions consistent.

[ciaranRoche]

/ok-to-test

[ciaranRoche]

/retest

[ciaranRoche]

/test validate-commits

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/hyperfleet-sentinel-tag.yaml:
- Line 159: The extract-version task step currently uses a mutable image tag
"registry.access.redhat.com/ubi9-minimal:latest"; change that to a digest-pinned
reference (e.g., registry.access.redhat.com/ubi9-minimal@sha256:...) so the
extract-version step image is immutable and reproducible—update the image field
for the extract-version step to use the same digest-pinning pattern used by
other task bundles in this file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 96c2a1b4-866c-4fab-8277-e6af86c7e89f

📥 Commits

Reviewing files that changed from the base of the PR and between 491b702 and 24a6100.

📒 Files selected for processing (1)

• .tekton/hyperfleet-sentinel-tag.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find mutable :latest image references in Tekton manifests
rg -n --type=yaml '^\s*image:\s*\S+:latest\b' -C2

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 66

---

🏁 Script executed:

#!/bin/bash
# Read the file around line 159 to see actual content
head -170 .tekton/hyperfleet-sentinel-tag.yaml | tail -20

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 668

---

🏁 Script executed:

#!/bin/bash
# Find all image references in the tag pipeline file
rg -n 'image:' .tekton/hyperfleet-sentinel-tag.yaml | head -30

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 152

---

Pin the extract-version step image to a digest instead of :latest.

The extract-version task step at line 159 uses image: registry.access.redhat.com/ubi9-minimal:latest, a mutable tag that makes the pipeline non-reproducible and vulnerable to silent behavior/security changes. Pin this image to a digest (@sha256:...) to match the digest-pinned task bundles elsewhere in this file.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-sentinel-tag.yaml at line 159, The extract-version task
step currently uses a mutable image tag
"registry.access.redhat.com/ubi9-minimal:latest"; change that to a digest-pinned
reference (e.g., registry.access.redhat.com/ubi9-minimal@sha256:...) so the
extract-version step image is immutable and reproducible—update the image field
for the extract-version step to use the same digest-pinning pattern used by
other task bundles in this file.

[ciaranRoche]

/ok-to-test