Red Hat Konflux update lvm-operator-bundle-4-23

[red-hat-konflux]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

Summary by CodeRabbit

• Chores
  • Configured automated build pipeline for the lvm-operator-bundle triggered on pull requests and production releases.
  • Integrated security verification into the automated build process, including vulnerability scanning, base image validation, and ecosystem compliance checks.
  • Enhanced build security with isolated execution and credential management.

[coderabbitai]

Walkthrough

Two Tekton PipelineRun manifests were added to .tekton/ for building and scanning the lvm-operator bundle image on pull requests and push events. Both pipelines orchestrate an identical workflow: git clone, optional dependency prefetch, buildah image build with context and arguments, optional source image construction, OCI image index creation, and conditional security scanning (clair, ecosystem cert, SAST variants) before tagging, pushing, and RPM signature verification.

Changes

LVM Operator Bundle Build Pipelines (PR and Push)

Layer / File(s)	Summary
Pipeline metadata and parameters .tekton/lvm-operator-bundle-4-23-pull-request.yaml, .tekton/lvm-operator-bundle-4-23-push.yaml	PR and push pipeline identities, annotations, namespace targeting, and input parameters (git source, output image, Dockerfile path, build toggles, artifact expiration, SAST directories, build args).
Core build workflow .tekton/lvm-operator-bundle-4-23-pull-request.yaml, .tekton/lvm-operator-bundle-4-23-push.yaml	Orchestrated tasks: init (proxy/cache setup), git-clone-oci-ta (repository clone into OCI artifacts), prefetch-dependencies-oci-ta (optional dependency prefetch), buildah-oci-ta (image build with hermetic/privileged-nested mode), and build-image-index (OCI index creation with digest/URL results).
Source image build and security gate initialization .tekton/lvm-operator-bundle-4-23-pull-request.yaml, .tekton/lvm-operator-bundle-4-23-push.yaml	Optional source-build-oci-ta task gated by build-source-image param; deprecated-base-image-check task gated by skip-checks == "false".
Comprehensive security scanning suite .tekton/lvm-operator-bundle-4-23-pull-request.yaml, .tekton/lvm-operator-bundle-4-23-push.yaml	Conditional scanning tasks (clair-scan, ecosystem-cert-preflight-checks, SAST variants including snyk/clamav/shell/unicode checks), each parameterized with image URL/digest and SAST targets, each gated by skip-checks == "false".
Image publishing and finalization .tekton/lvm-operator-bundle-4-23-pull-request.yaml, .tekton/lvm-operator-bundle-4-23-push.yaml	Tasks: apply-tags (image tagging), push-dockerfile-oci-ta (Dockerfile push), rpms-signature-scan (RPM signature verification, gated by skip-checks == "false").
Workspace and service account configuration .tekton/lvm-operator-bundle-4-23-pull-request.yaml, .tekton/lvm-operator-bundle-4-23-push.yaml	Optional git-auth and netrc workspaces sourced from Kubernetes secrets; taskRunTemplate serviceAccountName binding for task execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• jerpeter1
• jeff-roche
• qJkee

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title refers to a Red Hat Konflux update for lvm-operator-bundle-4-23, which matches the PR's addition of two Tekton PipelineRun YAML files for this component.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only Tekton PipelineRun YAML manifests. No Ginkgo test files are modified. The check targets Ginkgo test names and is not applicable.
Test Structure And Quality	✅ Passed	PR adds only Tekton YAML pipelines (.tekton/lvm-operator-bundle-4-23-pull-request.yaml and push.yaml), no Ginkgo tests. Check for Ginkgo test code quality is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes consist solely of two Tekton PipelineRun YAML configuration files for CI/CD workflows. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Not applicable: PR adds Tekton PipelineRun YAML manifests, not Ginkgo e2e tests. Custom check only applies when Ginkgo tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only Tekton PipelineRun CI/CD definitions without deployment manifests, operator code, or pod scheduling constraints. No topology-aware scheduling issues detected.
Ote Binary Stdout Contract	✅ Passed	Custom check applies only to Go test code (main, suite setup, logging in process). PR modifies only YAML Tekton pipeline configs—no code changes subject to this check.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. The PR adds only Tekton pipeline YAML configuration files, which are not subject to this check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-lvm-operator-bundle-4-23

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign eggfoobar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/lvm-operator-bundle-4-23-pull-request.yaml:
- Line 5: The metadata annotation build.appstudio.openshift.io/repo is hardcoded
to openshift/lvm-operator causing fork PRs to record the wrong repo; change the
annotation value to use the template variable ({{source_url}}) that supplies the
actual git URL (and keep the {{revision}} token as-is), updating occurrences of
build.appstudio.openshift.io/repo in the file so the repo annotation matches the
cloned source for branch/PR builds.
- Around line 9-12: The on-cel-expression currently allows all pull_request
events to run; update pipelinesascode.tekton.dev/on-cel-expression to include an
authorization/maintainer gate so only approved PRs trigger runs (either use
PaC's native authorization feature or extend the CEL filter). Modify the
expression referenced by pipelinesascode.tekton.dev/on-cel-expression to require
maintainer membership or an explicit approval token/comment (for example add a
condition like author_association == "MEMBER" || comment =~ "ok-to-test" or
integrate the PaC authorization variable) so PR runs are blocked until the
maintainer gating is satisfied.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 551e49bc-834a-4fd6-b481-b8745493b131

📥 Commits

Reviewing files that changed from the base of the PR and between 35feacc and 8441793.

📒 Files selected for processing (2)

• .tekton/lvm-operator-bundle-4-23-pull-request.yaml
• .tekton/lvm-operator-bundle-4-23-push.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Keep the repo annotation aligned with the actual clone source.

git-url is sourced from {{source_url}}, but the metadata repo is hardcoded to openshift/lvm-operator. Fork PRs will publish build metadata for a different repo than the one actually cloned.

Suggested fix

-    build.appstudio.openshift.io/repo: https://github.com/openshift/lvm-operator?rev={{revision}}
+    build.appstudio.openshift.io/repo: '{{source_url}}?rev={{revision}}'

Also applies to: 21-22

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/lvm-operator-bundle-4-23-pull-request.yaml at line 5, The metadata
annotation build.appstudio.openshift.io/repo is hardcoded to
openshift/lvm-operator causing fork PRs to record the wrong repo; change the
annotation value to use the template variable ({{source_url}}) that supplies the
actual git URL (and keep the {{revision}} token as-is), updating occurrences of
build.appstudio.openshift.io/repo in the file so the repo annotation matches the
cloned source for branch/PR builds.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Pipelines as Code: how do I require a /ok-to-testcomment before a PipelineRun is allowed to start for pull requests, and what trigger or annotation pattern should be used instead of a plainevent == "pull_request" CEL filter?

💡 Result:

To require a /ok-to-test comment before a PipelineRun starts in Tekton, you should use the built-in capabilities of Pipelines-as-Code or the GitHub Interceptor in Tekton Triggers, rather than manually constructing CEL filters for comment parsing [1][2]. Pipelines-as-Code (PaC) If you are using Pipelines-as-Code, this functionality is native [1]. When an unauthorized user (e.g., a contributor who is not an organization member or repository collaborator) opens a pull request, PaC automatically blocks the PipelineRun and posts a pending status check [1]. Authorized users can then initiate the PipelineRun by commenting /ok-to-test on the pull request [1]. Tekton Triggers (GitHub Interceptor) If you are using Tekton Triggers directly, you should use the GitHub Interceptor with the owners validation feature enabled [2]. This interceptor is designed to handle security gating for pull requests [3][2]. 1. Configuration: Configure your EventListener to use the GitHub Interceptor [2]. 2. Enable Owners Validation: Set the githubOwners parameter to enabled: true [2]. 3. Event Types: Ensure your interceptor is configured to listen for both pull_request and issue_comment events, as both are required for this workflow [2]. Example configuration snippet: triggers: - name: github-listener interceptors: - ref: name: "github" kind: ClusterInterceptor params: - name: "eventTypes" value: ["pull_request", "issue_comment"] - name: "githubOwners" value: enabled: true checkType: none Why avoid manual CEL filters? Using a plain event == "pull_request" CEL filter is insufficient because it does not provide the necessary security context (e.g., verifying if the commenter is an authorized owner) or the state management required to gate execution [2]. Manual CEL filters are prone to errors when parsing complex JSON payloads from webhooks and do not natively handle the "pending" status or the re-triggering logic that the GitHub Interceptor provides out-of-the-box [2][4][5]. Using the dedicated GitHub Interceptor ensures that your pipeline respects repository ownership and security policies automatically [3][2].

Citations:

• 1: https://pipelinesascode.com/docs/guide/running/
• 2: https://tekton.dev/docs/triggers/interceptors/
• 3: Github Interceptor to support Owners File Validation tektoncd/triggers#1516
• 4: cel filter error tektoncd/triggers#952
• 5: Validation for special characters for eventlistener cel filters tektoncd/triggers#746

---

🏁 Script executed:

# Read the full file to understand the context and check for PaC-specific annotations
cat -n .tekton/lvm-operator-bundle-4-23-pull-request.yaml | head -50

Repository: openshift/lvm-operator

Length of output: 2888

---

🏁 Script executed:

# Continue reading the file and also check for any PR objectives or documentation
cat -n .tekton/lvm-operator-bundle-4-23-pull-request.yaml | tail -n +50 | head -50

Repository: openshift/lvm-operator

Length of output: 2128

---

🏁 Script executed:

# Also search for PR objectives or any comment mentioning /ok-to-test requirement
find . -name "*.md" -o -name "*.txt" | xargs grep -l "ok-to-test" 2>/dev/null | head -5

Repository: openshift/lvm-operator

Length of output: 48

---

🏁 Script executed:

# Check if there's any documentation or PR description files
git log --oneline --all -20 -- .tekton/lvm-operator-bundle-4-23-pull-request.yaml 2>/dev/null || echo "Git log not available"

Repository: openshift/lvm-operator

Length of output: 122

---

🏁 Script executed:

# Check the commit that added this file for any message about /ok-to-test requirement
git show 8441793 --stat | head -30

Repository: openshift/lvm-operator

Length of output: 1685

---

🏁 Script executed:

# Search the repository for any documentation about PipelineRun gates or /ok-to-test
rg "ok-to-test" --type md --type yaml -i 2>/dev/null | head -10

Repository: openshift/lvm-operator

Length of output: 48

---

🏁 Script executed:

# Compare with other pull-request PipelineRun files to see if they have different CEL expressions
find .tekton -name "*pull-request.yaml" -exec basename {} \; | sort

Repository: openshift/lvm-operator

Length of output: 252

---

🏁 Script executed:

# Check one of the other pull-request YAML files to see their CEL expressions
rg "on-cel-expression" .tekton/*.yaml -A 2

Repository: openshift/lvm-operator

Length of output: 3957

---

🏁 Script executed:

# Look for PaC documentation or configuration in the repo that mentions authorization/gating
rg "pipelinesascode" . --type yaml -i -A 3 | head -50

Repository: openshift/lvm-operator

Length of output: 48

---

🏁 Script executed:

# Search for any PaC documentation or configuration in the repository that explains how authorization works
find . -name "README*" -o -name "*.md" | xargs grep -l "PipelineRun\|Pipelines as Code" 2>/dev/null | head -3

Repository: openshift/lvm-operator

Length of output: 48

---

🏁 Script executed:

# Check if there are any EventListener or other Tekton Triggers configurations that might handle /ok-to-test
find . -name "*.yaml" -o -name "*.yml" | xargs rg "EventListener\|GitHub" 2>/dev/null | head -10

Repository: openshift/lvm-operator

Length of output: 48

---

🏁 Script executed:

# Look at the specific file again more carefully - check for any auth-related service account bindings
cat -n .tekton/lvm-operator-bundle-4-23-pull-request.yaml | grep -A 5 "serviceAccountName\|build-pipeline"

Repository: openshift/lvm-operator

Length of output: 270

---

Add authorization check to the CEL expression for PR runs.

The plain event == "pull_request" && target_branch == "main" filter triggers on all PRs without the /ok-to-test comment gate. Use PaC's native authorization mechanism or add an additional CEL condition to enforce the maintainer gating described in the PR objective.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/lvm-operator-bundle-4-23-pull-request.yaml around lines 9 - 12, The
on-cel-expression currently allows all pull_request events to run; update
pipelinesascode.tekton.dev/on-cel-expression to include an
authorization/maintainer gate so only approved PRs trigger runs (either use
PaC's native authorization feature or extend the CEL filter). Modify the
expression referenced by pipelinesascode.tekton.dev/on-cel-expression to require
maintainer membership or an explicit approval token/comment (for example add a
condition like author_association == "MEMBER" || comment =~ "ok-to-test" or
integrate the PaC authorization variable) so PR runs are blocked until the
maintainer gating is satisfied.

[pacevedom]

/retest

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pacevedom]

/retest