Red Hat Konflux kflux-prd-rh02 update kartograph-agent-runtime

[red-hat-konflux-kflux-prd-rh02]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Configured automated build and push pipelines for container images on pull requests and push events
  • Integrated security and compliance checks including vulnerability scanning and SAST analysis into the build workflow

Walkthrough

Two new Tekton PipelineRun manifests are added under .tekton/ for the kartograph-agent-runtime component. The PR-triggered manifest fires on relevant path changes via a CEL expression; the push-triggered manifest fires on merges to main. Both embed a pipelineSpec that sequences init → clone-repository → prefetch-dependencies → build-container (Buildah) → build-image-index → optional build-source-image, followed by a block of security/compliance scan tasks gated by skip-checks, and post-build apply-tags and push-dockerfile steps. Both use a dedicated service account and optional git-auth/netrc workspaces sourced from a templated secret.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references Red Hat Konflux kflux-prd-rh02 and kartograph-agent-runtime, which aligns with the pull request adding two Tekton PipelineRun manifests for this component.
Description check	✅ Passed	The description addresses Pipelines as Code configuration and references documentation, which is related to the Tekton PipelineRun manifests being added in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No log statements expose secrets, tokens, passwords, or credentials. Python logging uses structured format with labeled fields; secrets handled as separate parameters, not interpolated strings.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets, API keys, tokens, passwords, or base64 strings >32 chars found. All sensitive references use templated variables ({{ git_auth_secret }}), and values are properly parameterized...
No Weak Cryptography	✅ Passed	PR adds only Tekton pipeline YAML configuration files with no custom cryptographic implementations, banned algorithms, or non-constant-time comparisons. External tasks referenced use secure hashes...
No Injection Vectors	✅ Passed	No injection vectors found. These are pure YAML Tekton pipeline manifests containing no CWE-89 (SQL), CWE-78 (exec.Command), CWE-79 (template.HTML), or CWE-502 (Unmarshal) patterns. Parameters are...
No Privileged Containers	✅ Passed	No privileged container flags detected in manifests. Parameter privileged-nested defaults to "false" and is documented as remote-VM-only; Tekton PipelineRun manifests are CI/CD, not production de...
No Pii Or Sensitive Data In Logs	✅ Passed	No logging statements found in the YAML manifests; these are declarative Tekton configurations that reference external task bundles. No PII, credentials, session IDs, or sensitive request/response...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-kartograph-agent-runtime

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux-kartograph-agent-runtime

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.tekton/kartograph-agent-runtime-pull-request.yaml (1)

11-13: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

CEL path filter includes redundant Dockerfile check.

The glob "src/agent-runtime/***".pathChanged() already covers src/agent-runtime/Dockerfile. The explicit Dockerfile check is redundant but harmless.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-agent-runtime-pull-request.yaml around lines 11 - 13,
Remove the redundant explicit Dockerfile path check from the CEL expression in
the pipelinesascode.tekton.dev/on-cel-expression field. The glob pattern
"src/agent-runtime/***".pathChanged() already covers all files under
src/agent-runtime/ including the Dockerfile, so delete the duplicate condition
"src/agent-runtime/Dockerfile".pathChanged() while keeping the glob pattern and
branch check intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/kartograph-agent-runtime-pull-request.yaml:
- Around line 520-531: The netrc workspace is declared in
pipelineSpec.workspaces (line 523-524) and used by the prefetch-dependencies
task, but it is not bound in the spec.workspaces section (lines 527-530). Add a
workspace binding for netrc in spec.workspaces using the same secret pattern as
the git-auth binding, ensuring it references the appropriate secret name that
contains the netrc configuration needed for private registry authentication
during the prefetch phase.

---

Nitpick comments:
In @.tekton/kartograph-agent-runtime-pull-request.yaml:
- Around line 11-13: Remove the redundant explicit Dockerfile path check from
the CEL expression in the pipelinesascode.tekton.dev/on-cel-expression field.
The glob pattern "src/agent-runtime/***".pathChanged() already covers all files
under src/agent-runtime/ including the Dockerfile, so delete the duplicate
condition "src/agent-runtime/Dockerfile".pathChanged() while keeping the glob
pattern and branch check intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 800a4b82-b9bc-451e-b67e-73589742938c

📥 Commits

Reviewing files that changed from the base of the PR and between a632b6e and 358b3cc.

📒 Files selected for processing (2)

• .tekton/kartograph-agent-runtime-pull-request.yaml
• .tekton/kartograph-agent-runtime-push.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

netrc workspace declared but not bound in spec.workspaces.

The prefetch-dependencies task maps workspace netrc (line 192-193), and pipelineSpec.workspaces declares it optional (line 523-524), but spec.workspaces (lines 527-530) only binds git-auth. If the agent-runtime requires private registry access during prefetch, this will silently fail to authenticate.

Proposed fix if netrc is needed

   workspaces:
   - name: git-auth
     secret:
       secretName: '{{ git_auth_secret }}'
+  - name: netrc
+    secret:
+      secretName: '{{ netrc_secret }}'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-agent-runtime-pull-request.yaml around lines 520 - 531,
The netrc workspace is declared in pipelineSpec.workspaces (line 523-524) and
used by the prefetch-dependencies task, but it is not bound in the
spec.workspaces section (lines 527-530). Add a workspace binding for netrc in
spec.workspaces using the same secret pattern as the git-auth binding, ensuring
it references the appropriate secret name that contains the netrc configuration
needed for private registry authentication during the prefetch phase.

[aredenba-rh]

Closing as superseded by #737, which merged the Konflux pipeline configuration for kartograph-agent-runtime to main (including customized push/PR pipelines with hp-fleet-gitops deploy-tag automation).

No need to merge this Konflux bootstrap PR — the .tekton/kartograph-agent-runtime-*.yaml files are already on main.