Skip to content

Red Hat Konflux update cluster-api-provider-agent-mce-217#818

Open
red-hat-konflux[bot] wants to merge 1 commit intomasterfrom
konflux-cluster-api-provider-agent-mce-217
Open

Red Hat Konflux update cluster-api-provider-agent-mce-217#818
red-hat-konflux[bot] wants to merge 1 commit intomasterfrom
konflux-cluster-api-provider-agent-mce-217

Conversation

@red-hat-konflux
Copy link

@red-hat-konflux red-hat-konflux bot commented Feb 5, 2026

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

Red Hat Konflux update cluster-api-provider-agent-mce-217
f4e092f 
Signed-off-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>
@coderabbitai
Copy link

coderabbitai bot commented Feb 5, 2026
edited
Loading

Walkthrough

Introduces two new Tekton PipelineRun manifests that define comprehensive multi-platform container image build and validation pipelines. Each file configures a complete CI/CD workflow with task orchestration, conditional execution, multi-step image construction, security scanning, and tagging for different trigger events.

Changes

Cohort / File(s) Summary
Tekton PipelineRun Configurations
.tekton/cluster-api-provider-agent-mce-217-pull-request.yaml, .tekton/cluster-api-provider-agent-mce-217-push.yaml		 New pipeline manifests defining multi-stage CI/CD flows with init, git clone, dependency prefetch, platform-specific image builds via buildah, image indexing, and conditional downstream tasks (security scans, deprecation checks, SAST analysis, tagging, signing). Each uses Tekton bundle-based task references, parameter-driven execution, OCI artifacts, and workspace definitions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch konflux-cluster-api-provider-agent-mce-217

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Feb 5, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents 
In @.tekton/cluster-api-provider-agent-mce-217-pull-request.yaml:
- Around line 183-208: Several tasks (prefetch-dependencies, apply-tags,
push-dockerfile, deprecated-base-image-check, clair-scan, clamav-scan,
ecosystem-cert-preflight-checks, rpms-signature-scan, sast-coverity-check,
sast-shell-check, sast-snyk-check, sast-unicode-check) consume conditional
results from clone-repository or build-image-index but lack the same guard used
by clone-repository/build-image-index; add a when/condition that checks
init.results.build (e.g. ensure the task's when/condition only runs if
tasks.init.results.build == "true") to each consumer so they don't try to read
missing results when init returned false, matching the guard pattern used by
clone-repository and build-image-index.

In @.tekton/cluster-api-provider-agent-mce-217-push.yaml:
- Around line 179-204: Several tasks consume results from producer tasks that
are gated by $(tasks.init.results.build) but lack the same guard; when
init.results.build == "false" the producers (clone-repository,
build-image-index, prefetch-dependencies) won't run and consumers will fail. For
each consumer task listed (prefetch-dependencies, deprecated-base-image-check,
clair-scan, ecosystem-cert-preflight-checks, sast-snyk-check,
sast-coverity-check, sast-shell-check, sast-unicode-check, rpms-signature-scan,
apply-tags, push-dockerfile) add a when/whenExpression that checks
$(tasks.init.results.build) == "true" (the same init.build guard pattern used
elsewhere) so they only execute when the build is enabled; update the task
definitions (e.g., taskRef blocks for prefetch-dependencies, apply-tags,
push-dockerfile and the listed scan/check tasks) to include this guard.

.tekton/cluster-api-provider-agent-mce-217-pull-request.yaml
Comment on lines +183 to +208
params:
- name: input
value: $(params.prefetch-input)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: prefetch-dependencies-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:c664a6df6514b59c3ce53570b0994b45af66ecc89ba2a8e41834eae0622addf6
- name: kind
value: task
resolver: bundles
workspaces:
- name: git-basic-auth
workspace: git-auth
- name: netrc
workspace: netrc
- matrix:
Copy link

@coderabbitai coderabbitai bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "cluster-api-provider-agent-mce-217-pull-request.yaml" -type f

Repository: openshift/cluster-api-provider-agent

Length of output: 142

🏁 Script executed:

head -20 .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 993

🏁 Script executed:

wc -l .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 144

🏁 Script executed:

sed -n '1,100p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 4307

🏁 Script executed:

sed -n '160,220p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1938

🏁 Script executed:

sed -n '300,350p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1761

🏁 Script executed:

sed -n '320,360p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1287

🏁 Script executed:

sed -n '560,640p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 2768

🏁 Script executed:

rg -n "init:" .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml -A 30

Repository: openshift/cluster-api-provider-agent

Length of output: 1193

🏁 Script executed:

sed -n '240,280p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1467

🏁 Script executed:

sed -n '180,210p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml | cat -n

Repository: openshift/cluster-api-provider-agent

Length of output: 1274

🏁 Script executed:

rg -n "build-image-index" .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml | head -5

Repository: openshift/cluster-api-provider-agent

Length of output: 320

🏁 Script executed:

sed -n '265,310p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1569

🏁 Script executed:

rg -n "clone-repository.results" .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 498

🏁 Script executed:

rg -n "build-image-index.results" .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1711

🏁 Script executed:

sed -n '570,620p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml | cat -n

Repository: openshift/cluster-api-provider-agent

Length of output: 2129

🏁 Script executed:

sed -n '545,580p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml | cat -n

Repository: openshift/cluster-api-provider-agent

Length of output: 1527

🏁 Script executed:

python3 << 'EOF'
import re

with open('.tekton/cluster-api-provider-agent-mce-217-pull-request.yaml', 'r') as f:
    lines = f.readlines()

# Find all tasks that consume clone-repository or build-image-index results
tasks = {}
current_task = None
current_task_start = None
has_init_guard = False
in_when_section = False

for i, line in enumerate(lines, 1):
    # Detect task start
    if re.match(r'\s{4}-\s+name:\s+', line):
        if current_task:
            tasks[current_task] = {
                'start': current_task_start,
                'end': i - 1,
                'has_init_guard': has_init_guard,
                'uses_clone_results': False,
                'uses_build_index_results': False
            }
        current_task = line.split('name:')[1].strip()
        current_task_start = i
        has_init_guard = False
        in_when_section = False
    elif current_task:
        # Check for when clause with init.results.build
        if 'when:' in line:
            in_when_section = True
        elif in_when_section and '$(tasks.init.results.build)' in line:
            has_init_guard = True
        elif in_when_section and line.strip() and not line.startswith('      '):
            in_when_section = False
        
        # Check for result consumption
        if '$(tasks.clone-repository.results' in line:
            if current_task in tasks:
                tasks[current_task]['uses_clone_results'] = True
            elif current_task:
                tasks[current_task] = {
                    'start': current_task_start,
                    'end': i,
                    'has_init_guard': has_init_guard,
                    'uses_clone_results': True,
                    'uses_build_index_results': False
                }
        if '$(tasks.build-image-index.results' in line:
            if current_task in tasks:
                tasks[current_task]['uses_build_index_results'] = True
            elif current_task:
                tasks[current_task] = {
                    'start': current_task_start,
                    'end': i,
                    'has_init_guard': has_init_guard,
                    'uses_clone_results': False,
                    'uses_build_index_results': True
                }

# Final task
if current_task:
    tasks[current_task] = {
        'start': current_task_start,
        'end': len(lines),
        'has_init_guard': has_init_guard,
        'uses_clone_results': False,
        'uses_build_index_results': False
    }

# Find tasks that use results but lack guard
print("Tasks consuming clone-repository or build-image-index results:\n")
for task_name in sorted(tasks.keys()):
    task = tasks[task_name]
    if task['uses_clone_results'] or task['uses_build_index_results']:
        consumes = []
        if task['uses_clone_results']:
            consumes.append('clone-repository')
        if task['uses_build_index_results']:
            consumes.append('build-image-index')
        guard_status = "✓ HAS GUARD" if task['has_init_guard'] else "✗ MISSING GUARD"
        print(f"{task_name:30} {guard_status:20} (lines {task['start']}-{task['end']}) - consumes: {', '.join(consumes)}")
EOF

Repository: openshift/cluster-api-provider-agent

Length of output: 143

🏁 Script executed:

python3 << 'EOF'
import re

with open('.tekton/cluster-api-provider-agent-mce-217-pull-request.yaml', 'r') as f:
    content = f.read()
    lines = content.split('\n')

# Parse tasks more carefully
task_pattern = r'^\s{4}-\s+name:\s+(\w+)'
result_pattern_clone = r'\$\(tasks\.clone-repository\.results'
result_pattern_build_index = r'\$\(tasks\.build-image-index\.results'
when_pattern = r'when:\s*\n\s+-\s+input:\s+\$\(tasks\.init\.results\.build\)'

tasks_info = []
current_task = None
task_start = 0

for i, line in enumerate(lines):
    # Match task declaration
    if re.match(task_pattern, line):
        current_task = re.match(task_pattern, line).group(1)
        task_start = i + 1
        tasks_info.append({
            'name': current_task,
            'start': task_start,
            'end': None,
            'uses_clone': False,
            'uses_build_index': False,
            'has_init_guard': False
        })
    # Check for result usage and when guards within task
    if current_task and tasks_info:
        if result_pattern_clone in line:
            tasks_info[-1]['uses_clone'] = True
        if result_pattern_build_index in line:
            tasks_info[-1]['uses_build_index'] = True
        
        # Check if this task has init guard
        if 'when:' in line:
            # Look ahead for init guard
            for j in range(i, min(i+5, len(lines))):
                if '$(tasks.init.results.build)' in lines[j]:
                    tasks_info[-1]['has_init_guard'] = True
                    break

# Mark end of each task
for i in range(len(tasks_info)-1):
    tasks_info[i]['end'] = tasks_info[i+1]['start'] - 1

if tasks_info:
    tasks_info[-1]['end'] = len(lines)

# Print results
print("Tasks with missing init.results.build guards:\n")
for task in tasks_info:
    if (task['uses_clone'] or task['uses_build_index']) and not task['has_init_guard']:
        consumes = []
        if task['uses_clone']:
            consumes.append('clone-repository')
        if task['uses_build_index']:
            consumes.append('build-image-index')
        print(f"❌ {task['name']:30} (lines {task['start']}-{task['end']}) - consumes: {', '.join(consumes)}")

print("\n\nTasks with init.results.build guards:\n")
for task in tasks_info:
    if (task['uses_clone'] or task['uses_build_index']) and task['has_init_guard']:
        consumes = []
        if task['uses_clone']:
            consumes.append('clone-repository')
        if task['uses_build_index']:
            consumes.append('build-image-index')
        print(f"✅ {task['name']:30} (lines {task['start']}-{task['end']}) - consumes: {', '.join(consumes)}")
EOF

Repository: openshift/cluster-api-provider-agent

Length of output: 167

🏁 Script executed:

sed -n '180,210p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1057

🏁 Script executed:

sed -n '328,360p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1095

🏁 Script executed:

sed -n '573,610p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1412

🏁 Script executed:

sed -n '600,645p' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml

Repository: openshift/cluster-api-provider-agent

Length of output: 1517

🏁 Script executed:

# Let's comprehensively list all tasks that consume results from clone-repository or build-image-index
# and check their when clauses
rg -B 2 -A 25 'name: (prefetch-dependencies|apply-tags|push-dockerfile|deprecated-base-image-check|clair-scan|rpms-signature-scan|sast-unicode-check)' .tekton/cluster-api-provider-agent-mce-217-pull-request.yaml | grep -E "(name:|clone-repository\.results|build-image-index\.results|when:|tasks\.init\.results\.build)"

Repository: openshift/cluster-api-provider-agent

Length of output: 2317

🏁 Script executed:

# Get the full picture of which tasks lack init guard
python3 << 'EOF'
import yaml

with open('.tekton/cluster-api-provider-agent-mce-217-pull-request.yaml', 'r') as f:
    data = yaml.safe_load(f)

tasks = data['spec']['pipelineSpec']['tasks']

# Map task names to their details
task_results = {}

for task in tasks:
    task_name = task.get('name')
    if task_name:
        task_results[task_name] = {
            'uses_clone_results': False,
            'uses_build_index_results': False,
            'uses_prefetch_results': False,
            'has_init_guard': False,
            'when_conditions': []
        }
        
        # Check params for result consumption
        if 'params' in task:
            for param in task['params']:
                param_value = str(param.get('value', ''))
                if 'clone-repository.results' in param_value:
                    task_results[task_name]['uses_clone_results'] = True
                if 'build-image-index.results' in param_value:
                    task_results[task_name]['uses_build_index_results'] = True
                if 'prefetch-dependencies.results' in param_value:
                    task_results[task_name]['uses_prefetch_results'] = True
        
        # Check for when clause
        if 'when' in task:
            for when_condition in task['when']:
                when_input = str(when_condition.get('input', ''))
                task_results[task_name]['when_conditions'].append(when_input)
                if 'tasks.init.results.build' in when_input:
                    task_results[task_name]['has_init_guard'] = True

# Print summary
print("Tasks consuming clone-repository or build-image-index results:\n")
for task_name in sorted(task_results.keys()):
    info = task_results[task_name]
    if info['uses_clone_results'] or info['uses_build_index_results']:
        consumes = []
        if info['uses_clone_results']:
            consumes.append('clone-repository')
        if info['uses_build_index_results']:
            consumes.append('build-image-index')
        if info['uses_prefetch_results']:
            consumes.append('prefetch-dependencies')
        
        guard_status = "✓ HAS init guard" if info['has_init_guard'] else "✗ MISSING init guard"
        print(f"{task_name:35} {guard_status:25} consumes: {', '.join(consumes)}")
        if info['when_conditions']:
            print(f"  When: {info['when_conditions']}")
EOF

Repository: openshift/cluster-api-provider-agent

Length of output: 2182

Add init.results.build guards for all task consumers of conditional results.

Multiple tasks consume results from clone-repository and build-image-index without the init.results.build guard. When init returns false, these upstream tasks don't run, but their consumers still execute and fail attempting to resolve nonexistent results:

  • prefetch-dependencies – consumes clone-repository.results
  • apply-tags – consumes build-image-index.results
  • push-dockerfile – consumes build-image-index.results and prefetch-dependencies.results
  • deprecated-base-image-check – consumes build-image-index.results
  • clair-scan – consumes build-image-index.results
  • clamav-scan – consumes build-image-index.results
  • ecosystem-cert-preflight-checks – consumes build-image-index.results
  • rpms-signature-scan – consumes build-image-index.results
  • sast-coverity-check – consumes clone-repository.results and build-image-index.results
  • sast-shell-check – consumes build-image-index.results and prefetch-dependencies.results
  • sast-snyk-check – consumes build-image-index.results and prefetch-dependencies.results
  • sast-unicode-check – consumes build-image-index.results and prefetch-dependencies.results

Add the same guard as clone-repository and build-image-index to each consumer.

🛠️ Suggested guard pattern 
     - name: prefetch-dependencies
       params:
       - name: input
         value: $(params.prefetch-input)
       - name: SOURCE_ARTIFACT
         value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
       - name: ociStorage
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
       runAfter:
       - clone-repository
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
       taskRef:
         params:
         - name: name
           value: prefetch-dependencies-oci-ta
         - name: bundle
           value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:c664a6df6514b59c3ce53570b0994b45af66ecc89ba2a8e41834eae0622addf6
         - name: kind
           value: task
         resolver: bundles

     - name: apply-tags
       params:
       - name: IMAGE_URL
         value: $(tasks.build-image-index.results.IMAGE_URL)
       - name: IMAGE_DIGEST
         value: $(tasks.build-image-index.results.IMAGE_DIGEST)
       runAfter:
       - build-image-index
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
       taskRef:
         params:
         - name: name
           value: apply-tags
         - name: bundle
           value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:510b6d2a3b188adeb716e49566b57d611ab36bd69a2794b5ddfc11dbf014c2ca
         - name: kind
           value: task
         resolver: bundles
🤖 Prompt for AI Agents 
In @.tekton/cluster-api-provider-agent-mce-217-pull-request.yaml around lines
183 - 208, Several tasks (prefetch-dependencies, apply-tags, push-dockerfile,
deprecated-base-image-check, clair-scan, clamav-scan,
ecosystem-cert-preflight-checks, rpms-signature-scan, sast-coverity-check,
sast-shell-check, sast-snyk-check, sast-unicode-check) consume conditional
results from clone-repository or build-image-index but lack the same guard used
by clone-repository/build-image-index; add a when/condition that checks
init.results.build (e.g. ensure the task's when/condition only runs if
tasks.init.results.build == "true") to each consumer so they don't try to read
missing results when init returned false, matching the guard pattern used by
clone-repository and build-image-index.

.tekton/cluster-api-provider-agent-mce-217-push.yaml
Comment on lines +179 to +204
- name: prefetch-dependencies
params:
- name: input
value: $(params.prefetch-input)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: prefetch-dependencies-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:c664a6df6514b59c3ce53570b0994b45af66ecc89ba2a8e41834eae0622addf6
- name: kind
value: task
resolver: bundles
workspaces:
- name: git-basic-auth
workspace: git-auth
- name: netrc
workspace: netrc
Copy link

@coderabbitai coderabbitai bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the complete file
git ls-files | grep -i tekton | grep -i cluster-api-provider-agent-mce-217-push

Repository: openshift/cluster-api-provider-agent

Length of output: 132

🏁 Script executed:

# Get the file content and search for the init task, clone-repository, build-image-index tasks and their when guards
cat '.tekton/cluster-api-provider-agent-mce-217-push.yaml' | head -300

Repository: openshift/cluster-api-provider-agent

Length of output: 10767

🏁 Script executed:

# Search for all task definitions and their when guards in the file
rg -n "^\s{4}- name:" '.tekton/cluster-api-provider-agent-mce-217-push.yaml' | head -20

Repository: openshift/cluster-api-provider-agent

Length of output: 606

🏁 Script executed:

# Look for the init task specifically and check if it has when guards
rg -A 20 "- name: init$" '.tekton/cluster-api-provider-agent-mce-217-push.yaml'

Repository: openshift/cluster-api-provider-agent

Length of output: 484

🏁 Script executed:

# Check for clone-repository task and its when guards
rg -A 15 "- name: clone-repository$" '.tekton/cluster-api-provider-agent-mce-217-push.yaml'

Repository: openshift/cluster-api-provider-agent

Length of output: 484

🏁 Script executed:

# Check for build-image-index task and its when guards
rg -A 15 "- name: build-image-index$" '.tekton/cluster-api-provider-agent-mce-217-push.yaml'

Repository: openshift/cluster-api-provider-agent

Length of output: 484

🏁 Script executed:

# Check prefetch-dependencies task structure (lines around 179-204)
sed -n '170,220p' '.tekton/cluster-api-provider-agent-mce-217-push.yaml'

Repository: openshift/cluster-api-provider-agent

Length of output: 1569

🏁 Script executed:

# Check lines 300-380 for deprecated-base-image-check and sast-snyk-check
sed -n '294,380p' '.tekton/cluster-api-provider-agent-mce-217-push.yaml'

Repository: openshift/cluster-api-provider-agent

Length of output: 2783

🏁 Script executed:

# Check lines 380-500 for more sast tasks
sed -n '380,520p' '.tekton/cluster-api-provider-agent-mce-217-push.yaml'

Repository: openshift/cluster-api-provider-agent

Length of output: 4677

🏁 Script executed:

# Check lines 550-630 for apply-tags and post-build tasks
sed -n '550,630p' '.tekton/cluster-api-provider-agent-mce-217-push.yaml'

Repository: openshift/cluster-api-provider-agent

Length of output: 2821

Add init.build guards for all tasks consuming conditionally-gated results.

The issue is confirmed: clone-repository and build-image-index are gated by $(tasks.init.results.build), but many of their consumers lack this guard. When init.results.build = false, these producer tasks don't run, causing consumers to fail when accessing their results.

Affected tasks lacking the init.build guard:

  • prefetch-dependencies (line 179) — consumes clone-repository results
  • deprecated-base-image-check, clair-scan, ecosystem-cert-preflight-checks, sast-snyk-check, sast-coverity-check, sast-shell-check, sast-unicode-check, rpms-signature-scan (lines 324–630) — consume build-image-index results
  • apply-tags (line 569) — has no when guard at all; consumes build-image-index results
  • push-dockerfile (line 586) — lacks when guard; consumes build-image-index and prefetch-dependencies results

Add the guard pattern shown in the suggestion to ensure these tasks only run when the build is enabled.

🤖 Prompt for AI Agents 
In @.tekton/cluster-api-provider-agent-mce-217-push.yaml around lines 179 - 204,
Several tasks consume results from producer tasks that are gated by
$(tasks.init.results.build) but lack the same guard; when init.results.build ==
"false" the producers (clone-repository, build-image-index,
prefetch-dependencies) won't run and consumers will fail. For each consumer task
listed (prefetch-dependencies, deprecated-base-image-check, clair-scan,
ecosystem-cert-preflight-checks, sast-snyk-check, sast-coverity-check,
sast-shell-check, sast-unicode-check, rpms-signature-scan, apply-tags,
push-dockerfile) add a when/whenExpression that checks
$(tasks.init.results.build) == "true" (the same init.build guard pattern used
elsewhere) so they only execute when the build is enabled; update the task
definitions (e.g., taskRef blocks for prefetch-dependencies, apply-tags,
push-dockerfile and the listed scan/check tasks) to include this guard.

@CrystalChun
Copy link

CrystalChun commented Feb 7, 2026

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Feb 7, 2026
@openshift-ci
Copy link

openshift-ci bot commented Feb 7, 2026

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CrystalChun