Red Hat Konflux update ocm-cli

[red-hat-konflux]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign rcampos2029 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b9e51486-1872-482b-8964-0721b87e7c13

📥 Commits

Reviewing files that changed from the base of the PR and between 6003381 and 89873f1.

📒 Files selected for processing (2)

• .tekton/ocm-cli-pull-request.yaml
• .tekton/ocm-cli-push.yaml

---

Summary by CodeRabbit

• New Features

  • Added configurable build parameters: format selection, cache proxy, package registry proxy, and SAST target directories for enhanced build customization and security scanning control.

• Chores

  • Updated pipeline task versions across build and security scanning components.
  • Simplified push pipeline by removing summary reporting step.
  • Streamlined workspace configuration metadata.

Walkthrough

Both Tekton pipeline files (ocm-cli-pull-request.yaml and ocm-cli-push.yaml) are updated with four new build parameters, task graph rewiring to propagate these parameters through early and scanning stages, task bundle version bumps across the entire pipeline, and removal of unnecessary metadata fields.

Changes

Tekton Pipeline Parameter and Task Bundle Updates

Layer / File(s)	Summary
Parameter definitions and pipeline annotations .tekton/ocm-cli-pull-request.yaml, .tekton/ocm-cli-push.yaml	Added four new parameters: buildah-format (default docker), enable-cache-proxy (default false), enable-package-registry-proxy (default true), and sast-target-dirs (default .). Pull-request pipeline annotations updated for PipelineAsCode controls. Push pipeline removes finally: show-summary block. Pipeline descriptions extended.
Init and dependency prefetch task wiring .tekton/ocm-cli-pull-request.yaml, .tekton/ocm-cli-push.yaml	init task receives and passes through enable-cache-proxy parameter; prefetch-dependencies task receives enable-package-registry-proxy. Both tasks updated to newer task bundle versions.
Build task: format and proxy configuration .tekton/ocm-cli-pull-request.yaml, .tekton/ocm-cli-push.yaml	buildah task now receives BUILDAH_FORMAT parameter and HTTP_PROXY/NO_PROXY environment variables sourced from init task results. build-image-index task receives BUILDAH_FORMAT and updated with newer bundle version.
Scan and security check tasks with SAST target directory support .tekton/ocm-cli-pull-request.yaml, .tekton/ocm-cli-push.yaml	SAST tasks (sast-snyk-check, sast-shell-check, sast-unicode-check) now receive TARGET_DIRS from pipeline parameter. All scan/check tasks (source-build, deprecated-image-check, clair-scan, ecosystem-cert-preflight-checks, clamav-scan) bumped to newer bundle versions.
Tag, push, and signature task bundle updates .tekton/ocm-cli-pull-request.yaml, .tekton/ocm-cli-push.yaml	apply-tags, push-dockerfile, and rpms-signature-scan tasks updated to newer bundle versions. rpms-signature-scan task bundle registry namespace updated from konflux-vanguard to konflux-ci.
Workspace PVC metadata cleanup .tekton/ocm-cli-pull-request.yaml, .tekton/ocm-cli-push.yaml	Simplified workspace PVC template metadata by removing creationTimestamp: null and replacing with empty metadata object in both pipelines.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Red Hat Konflux update ocm-cli' directly relates to the changeset, which updates Tekton pipeline configurations for the ocm-cli project in the Red Hat Konflux CI system.
Description check	✅ Passed	The description explains the Pipelines as Code configuration proposal and provides guidance on running and customizing PipelineRuns, which is directly related to the Tekton pipeline YAML changes in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-ocm-cli

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch konflux-ocm-cli

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rcampos2029]

/ok-to-test