Red Hat Konflux update cluster-api-provider-agent-mce-51

[red-hat-konflux]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

Summary by CodeRabbit

• Chores
  • Added automated CI/CD pipeline configurations that trigger on pull requests and code pushes, including multi-platform image builds, security and compliance scanning, and automated artifact management.

[coderabbitai]

Walkthrough

Two new Tekton PipelineRun configurations are added for the cluster-api-provider-agent-mce-51 project: one triggering on pull requests to master and another on push events to master. Both define identical multi-stage CI/CD workflows including repository cloning, multi-platform image building, optional security scanning, and artifact pushing.

Changes

Cohort / File(s)

Summary

Tekton CI/CD Pipelines .tekton/cluster-api-provider-agent-mce-51-pull-request.yaml, .tekton/cluster-api-provider-agent-mce-51-push.yaml

Two PipelineRun configurations defining build workflows with repository initialization, multi-platform image building via Buildah, optional security/compliance scanning (base image checks, Clair, Snyk, ClamAV), image indexing, source image building, artifact tagging, Dockerfile pushing, and RPM signature scanning. PR version triggers on pull requests; push version triggers on master branch pushes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Red Hat Konflux update cluster-api-provider-agent-mce-51' accurately describes the main change: adding new Tekton PipelineRun configurations for cluster-api-provider-agent-mce-51 as part of a Red Hat Konflux CI/CD update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR only adds Tekton pipeline YAML configuration files, not Ginkgo test files. The check is not applicable.
Test Structure And Quality	✅ Passed	This PR contains only Tekton PipelineRun YAML configuration files with no Go test files to review.
Microshift Test Compatibility	✅ Passed	Pull request only adds Tekton PipelineRun YAML configuration files for CI/CD pipeline setup. No Ginkgo e2e tests introduced, so custom check for MicroShift test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only Tekton PipelineRun YAML files for CI/CD, no Ginkgo e2e test code found.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds Tekton PipelineRun CI/CD configuration files, not deployment manifests, operator code, or controllers that would require topology-aware scheduling considerations.
Ote Binary Stdout Contract	✅ Passed	PR only adds Tekton YAML pipeline configuration files with no Go source code modifications, making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only Tekton pipeline configuration files (YAML manifests) with no Ginkgo e2e tests introduced, making the IPv6 and disconnected network test compatibility check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-cluster-api-provider-agent-mce-51

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign eliorerz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.tekton/cluster-api-provider-agent-mce-51-pull-request.yaml (2)

94-99: Missing type field for parameters.

These two parameters (enable-cache-proxy and enable-package-registry-proxy) are missing the type: string declaration that other similar boolean-style parameters have (e.g., skip-checks, hermetic).

♻️ Proposed fix for consistency

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string
     - default: "true"
       description: Use the package registry proxy when prefetching dependencies
       name: enable-package-registry-proxy
+      type: string

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/cluster-api-provider-agent-mce-51-pull-request.yaml around lines 94
- 99, The two pipeline parameters enable-cache-proxy and
enable-package-registry-proxy are missing the type declaration; update each
parameter block that contains name: enable-cache-proxy and name:
enable-package-registry-proxy to include type: string (keeping their default
values as the string literals "false" and "true") so they match other
boolean-style parameters like skip-checks and hermetic.

---

119-131: Consider adding result descriptions.

All pipeline results have empty description: "" fields. Adding brief descriptions would improve pipeline documentation and help users understand what each result represents.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/cluster-api-provider-agent-mce-51-pull-request.yaml around lines 119
- 131, Add meaningful brief descriptions for each pipeline result entry that
currently has an empty description: IMAGE_URL, IMAGE_DIGEST, CHAINS-GIT_URL, and
CHAINS-GIT_COMMIT. For each result update the corresponding description field to
a one-line explanation (e.g., "Image registry URL produced by
build-image-index", "Image digest produced by build-image-index", "Repository
URL from clone-repository", "Commit SHA from clone-repository") so users and
tools can understand what each result represents.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/cluster-api-provider-agent-mce-51-pull-request.yaml:
- Around line 198-202: The matrix parameter arrays are using a single literal
entry "value: - $(params.build-platforms)" which prevents expanding the
build-platforms parameter into multiple matrix runs; update each matrix block
that declares the PLATFORM param (the matrix entries associated with the
build-platforms task and the clair-scan, ecosystem-cert-preflight, and
clamav-scan tasks) to use the array expansion syntax value:
$(params.build-platforms[*]) so the parameter is expanded into individual matrix
values rather than one literal item.
- Around line 540-551: The pipeline spec declares an optional workspace named
"netrc" but does not provide a spec-level binding like it does for "git-auth",
causing an unbound workspace referenced by the "prefetch-dependencies" task;
either add a binding under the top-level workspaces section (mirroring
"git-auth" by adding a - name: netrc secret: secretName: '{{ netrc_secret }}' or
similar) so the "netrc" workspace is available to the "prefetch-dependencies"
task, or remove the "netrc" declaration from the pipelineSpec if it is not used
anywhere.

---

Nitpick comments:
In @.tekton/cluster-api-provider-agent-mce-51-pull-request.yaml:
- Around line 94-99: The two pipeline parameters enable-cache-proxy and
enable-package-registry-proxy are missing the type declaration; update each
parameter block that contains name: enable-cache-proxy and name:
enable-package-registry-proxy to include type: string (keeping their default
values as the string literals "false" and "true") so they match other
boolean-style parameters like skip-checks and hermetic.
- Around line 119-131: Add meaningful brief descriptions for each pipeline
result entry that currently has an empty description: IMAGE_URL, IMAGE_DIGEST,
CHAINS-GIT_URL, and CHAINS-GIT_COMMIT. For each result update the corresponding
description field to a one-line explanation (e.g., "Image registry URL produced
by build-image-index", "Image digest produced by build-image-index", "Repository
URL from clone-repository", "Commit SHA from clone-repository") so users and
tools can understand what each result represents.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 84d86d52-83dc-4b17-a772-79a88e57d11a

📥 Commits

Reviewing files that changed from the base of the PR and between e163d45 and d8a5d9c.

📒 Files selected for processing (2)

• .tekton/cluster-api-provider-agent-mce-51-pull-request.yaml
• .tekton/cluster-api-provider-agent-mce-51-push.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Tekton matrix params array parameter syntax

💡 Result:

The syntax for array parameters in Tekton matrix is defined under the matrix.params field in a PipelineTask. Each matrix parameter must be an array of strings and matches a parameter name in the referenced Task. Basic syntax for static arrays: matrix: params: - name: platform value: - linux - mac - name: browser value: - chrome - safari For dynamic arrays from Pipeline parameters (whole array replacement): matrix: params: - name: param-two value: $(params.bar[*]) For individual elements from array parameters: matrix: params: - name: param-one value: - $(params.bar[0]) Key rules: - Matrix parameters must be unique and match Task parameters. - Cannot be used in both matrix and params fields simultaneously. - Empty array skips the PipelineTask. - Supports string replacements from Pipeline parameters, results, etc., after substitution. Enable beta feature flag enable-api-fields: "beta" for Matrix support. Examples from official Tekton docs demonstrate combinations generating parallel TaskRuns.

Citations:

• 1: https://tekton.dev/docs/pipelines/matrix/
• 2: TEP-0090: Matrix - Parameters tektoncd/pipeline#4704
• 3: Add matrix support for using references to entire PipelineRun array parameters tektoncd/pipeline#6516
• 4: Support Array and Strings for Matrix param validation tektoncd/pipeline#5925
• 5: https://tekton.dev/docs/pipelines/pipelines/

---

Correct matrix parameter array syntax to expand the build-platforms parameter.

The matrix parameter syntax is incorrect. Using value: - $(params.build-platforms) wraps the parameter reference as a single literal value instead of expanding it into multiple matrix runs. According to Tekton documentation, the correct syntax for expanding an array parameter is value: $(params.build-platforms[*]).

This issue exists in 4 tasks: lines 198–202 (build-platforms), 321–325 (clair-scan), 348–352 (ecosystem-cert-preflight), and 399–403 (clamav-scan).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/cluster-api-provider-agent-mce-51-pull-request.yaml around lines 198
- 202, The matrix parameter arrays are using a single literal entry "value: -
$(params.build-platforms)" which prevents expanding the build-platforms
parameter into multiple matrix runs; update each matrix block that declares the
PLATFORM param (the matrix entries associated with the build-platforms task and
the clair-scan, ecosystem-cert-preflight, and clamav-scan tasks) to use the
array expansion syntax value: $(params.build-platforms[*]) so the parameter is
expanded into individual matrix values rather than one literal item.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if other Konflux pipelines bind the netrc workspace
rg -n 'name: netrc' --type yaml -A 3 -B 1

Repository: openshift/cluster-api-provider-agent

Length of output: 62

---

🏁 Script executed:

# First, let's examine the full pipeline file to see if netrc is referenced anywhere
head -600 ".tekton/cluster-api-provider-agent-mce-51-pull-request.yaml" | tail -100

Repository: openshift/cluster-api-provider-agent

Length of output: 3357

---

🏁 Script executed:

# Check how many lines the file has and look for any netrc references
wc -l ".tekton/cluster-api-provider-agent-mce-51-pull-request.yaml"
rg -n 'netrc' ".tekton/cluster-api-provider-agent-mce-51-pull-request.yaml"

Repository: openshift/cluster-api-provider-agent

Length of output: 218

---

🏁 Script executed:

# List other Tekton pipeline files to compare patterns
fd -e yaml -path '*/.tekton/*' | head -20

Repository: openshift/cluster-api-provider-agent

Length of output: 248

---

🏁 Script executed:

# Check if other similar Tekton files have netrc workspace bindings
rg -l 'netrc' ".tekton/*.yaml" 2>/dev/null || echo "No netrc references found in .tekton yaml files"

Repository: openshift/cluster-api-provider-agent

Length of output: 127

---

🏁 Script executed:

# Show lines around 196 to identify the task using netrc
sed -n '180,210p' ".tekton/cluster-api-provider-agent-mce-51-pull-request.yaml"

Repository: openshift/cluster-api-provider-agent

Length of output: 1002

---

🏁 Script executed:

# Also check the full workspaces section to see all workspace references
sed -n '540,551p' ".tekton/cluster-api-provider-agent-mce-51-pull-request.yaml"

Repository: openshift/cluster-api-provider-agent

Length of output: 366

---

Add netrc workspace binding or remove its declaration.

The netrc workspace is declared as optional in the pipelineSpec (line 543) and referenced by the prefetch-dependencies task (line 197), but unlike git-auth, it has no corresponding binding in the spec-level workspaces section (lines 547-550). Either add a binding for netrc to match the git-auth pattern, or remove the declaration if it's not used.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/cluster-api-provider-agent-mce-51-pull-request.yaml around lines 540
- 551, The pipeline spec declares an optional workspace named "netrc" but does
not provide a spec-level binding like it does for "git-auth", causing an unbound
workspace referenced by the "prefetch-dependencies" task; either add a binding
under the top-level workspaces section (mirroring "git-auth" by adding a - name:
netrc secret: secretName: '{{ netrc_secret }}' or similar) so the "netrc"
workspace is available to the "prefetch-dependencies" task, or remove the
"netrc" declaration from the pipelineSpec if it is not used anywhere.