MULTIARCH-5754: Add RapiDAST pipeline

[AnnaZivkovic]

Summary by CodeRabbit

• New Features

  • Added an automated integration pipeline that provisions an ephemeral environment, deploys an operator bundle, ensures image pull access, and runs an authenticated API DAST (RapiDAST), producing DAST results and logs.
  • Pipeline publishes an authenticated test URL and a config path for downstream consumption.

• Chores

  • Pipeline is parameterized for snapshot-based deployments and exposes task results to coordinate test steps.

[openshift-ci-robot]

@AnnaZivkovic: This pull request references MULTIARCH-5754 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new Tekton Pipeline rapidast-integration-pipeline (param SNAPSHOT) that provisions an ephemeral environment, deploys an operator bundle via operator-sdk/OLM, port-forwards a TREX service, and runs an authenticated RapiDAST scan producing DAST results.

Changes

Cohort / File(s)

Summary

Tekton RapiDAST Integration Pipeline .tekton/rapidast-integration-pipeline.yaml

New Pipeline rapidast-integration-pipeline with parameter SNAPSHOT. Adds tasks: provision-env (eaas-provision-space bundle, returns kubeconfig/secretRef), deploy-app (uses kubeconfig, copies/sanitizes pull secret, downloads operator-sdk, extracts and runs bundle from SNAPSHOT, polls Subscription for installedCSV and waits for CSV Succeeded), setup-test (starts port-forward sidecar to svc/trex:8000, uses ocm with OCM_TOKEN to obtain authenticated endpoint, emits task results authenticated_url and config_path), and run-rapiddast (generates config with Authorization header, runs rapidast.py, validates /tmp/results/DAST-*).

Sequence Diagram(s)

sequenceDiagram
    participant Tekton as Tekton Pipeline
    participant K8s as Kubernetes Cluster
    participant OLM as Operator Lifecycle Manager
    participant TREX as TREX Service
    participant OCM as OCM API (via ocm CLI)
    participant RapiDAST as RapiDAST Runner

    Tekton->>K8s: provision-env (eaas-provision-space) -> kubeconfig + secretRef
    Tekton->>K8s: deploy-app: write kubeconfig, copy/sanitize pull secret
    Tekton->>K8s: deploy-app: download operator-sdk, run bundle image from SNAPSHOT
    K8s->>OLM: create Subscription
    OLM->>K8s: install CSV -> CSV status updates
    Tekton->>K8s: poll Subscription.installedCSV, wait for CSV Succeeded
    Tekton->>K8s: setup-test: start port-forward to svc/trex -> localhost:8000
    Tekton->>OCM: setup-test: ocm login (OCM_TOKEN) and query API -> authenticated URL
    Tekton->>RapiDAST: run rapidast.py with Authorization header against authenticated URL
    RapiDAST-->>Tekton: produce /tmp/results/DAST-* and set task results (authenticated_url, config_path)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	PR adds Tekton pipeline YAML manifest, not Ginkgo test code. Custom check requires review of Ginkgo test quality patterns, which do not apply to infrastructure configuration files.	Confirm whether PR contains any Ginkgo test files in Go that should be reviewed against specified quality criteria, or if check is not applicable to this YAML-only PR.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only a Tekton pipeline YAML file with no Ginkgo test code or modifications to test files.
Microshift Test Compatibility	✅ Passed	This custom check assesses Ginkgo e2e tests for MicroShift compatibility. The PR only adds a Tekton Pipeline manifest file in YAML format, with no new Go test files or Ginkgo e2e tests added. Since the check does not apply to non-test files, it passes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Pull request adds only a Tekton pipeline manifest file, not Ginkgo tests, making this SNO compatibility check inapplicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The pull request adds a Tekton Pipeline resource for DAST integration testing without introducing topology-incompatible scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check applies to executable binaries written in Go that communicate with openshift-tests via JSON stdout. This PR only adds Tekton pipeline YAML configuration files, which are declarative and cannot write to stdout, making the check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds .tekton/rapidast-integration-pipeline.yaml (Tekton manifest), not Ginkgo e2e Go tests. Check requires Ginkgo test files.
Title check	✅ Passed	The title 'MULTIARCH-5754: Add RapiDAST pipeline' directly and clearly describes the main change: adding a RapiDAST Tekton integration pipeline to the repository, which is confirmed by the raw_summary showing a new Pipeline manifest was added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign annazivkovic for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@AnnaZivkovic: This pull request references MULTIARCH-5754 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Added a new Tekton integration pipeline that automates environment setup, application deployment, and API security scanning workflows.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

.tekton/rapidast-integration-pipeline.yaml (1)

21-22: Pin git-resolved task revision to an immutable ref.

Using main for taskRef.resolver: git is non-reproducible and can break the pipeline on upstream changes. Replace with a commit SHA or version tag (e.g., e06ee0a or v1.0.0) from https://github.com/konflux-ci/build-definitions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rapidast-integration-pipeline.yaml around lines 21 - 22, The
pipeline uses a mutable ref for the git-resolved task (the revision key set to
"main") which makes runs unreproducible; update the revision value under the
taskRef resolver (the "revision" entry) to a fixed immutable ref—use a commit
SHA or a version tag (e.g., e06ee0a or v1.0.0) from the
konflux-ci/build-definitions repository URL instead of "main" so the pipeline
always uses the exact task revision.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 121-124: Remove the runtime cluster-admin escalation (the SA_NAME
variable and the oc adm policy add-cluster-role-to-user cluster-admin
"${SA_NAME}" call) and instead require a pre-provisioned service account with
least-privilege RBAC; update the task to use that service account (referencing
SA_NAME) and add a validation step that checks for the required specific
roles/clusterroles before proceeding, and document the exact minimal roles the
pipeline requires so operators can provision them ahead of execution.
- Around line 295-299: The check is searching the wrong path: change the
FINAL_RESULTS_DIR assignment to search the configured RESULTS_DIR variable
rather than ./results; update the line that sets FINAL_RESULTS_DIR to use find
"$RESULTS_DIR" -type d -name "DAST-*" -print -quit (preserve quoting and -print
-quit), and keep the subsequent empty-check/exit logic as-is so
FINAL_RESULTS_DIR reflects the actual /tmp/results location when present.
- Around line 131-133: CSV discovery currently relies on an unstable hard-coded
label used in the oc get subscription command (inside the for loop that sets
CSV_NAME), which causes flakiness; change the selector to reliably identify the
Subscription by its spec.package or spec.name instead of that generated label —
e.g., query all subscriptions in the namespace and use a jsonpath filter that
matches .items[?(@.spec.package=='<PACKAGE_NAME>')].status.installedCSV (or
.spec.name if you have the subscription name), so replace the label-based
selector in the CSV_NAME assignment with a jsonpath filter that matches the
known package/subscription identifier.
- Around line 115-116: SNAPSHOT parsing is brittle because OO_BUNDLE is taken
from .components[1] which can be missing; change the extraction of OO_BUNDLE to
select the first non-empty .components[].containerImage from SNAPSHOT (not a
fixed index), and add a check that OO_BUNDLE is non-empty before calling
operator-sdk run bundle so the pipeline fails fast with a clear error if no
bundle image is found. Update the code that sets OO_BUNDLE and the subsequent
validation/exit logic (references: OO_BUNDLE, SNAPSHOT, and the operator-sdk run
bundle invocation).
- Around line 105-113: The task currently writes CLI binaries to /usr/local/bin
which fails in random-UID/OpenShift containers; change the download/install
destination for jq and oc to a writable directory (e.g., $HOME/bin,
$HOME/.local/bin, or /tmp/bin) and ensure that directory is made executable and
added to PATH before use; update the curl/chmod/rm steps that reference
/usr/local/bin/jq and /usr/local/bin/oc to use the new directory and export PATH
so subsequent steps can find the jq and oc executables.

---

Nitpick comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 21-22: The pipeline uses a mutable ref for the git-resolved task
(the revision key set to "main") which makes runs unreproducible; update the
revision value under the taskRef resolver (the "revision" entry) to a fixed
immutable ref—use a commit SHA or a version tag (e.g., e06ee0a or v1.0.0) from
the konflux-ci/build-definitions repository URL instead of "main" so the
pipeline always uses the exact task revision.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: ea90072b-bd53-44a8-bffa-f28e213d2aff

📥 Commits

Reviewing files that changed from the base of the PR and between 48cbc64 and 801a7bd.

📒 Files selected for processing (1)

• .tekton/rapidast-integration-pipeline.yaml

[AnnaZivkovic]

/retest

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.tekton/rapidast-integration-pipeline.yaml (1)

17-24: Pin the remote task to an immutable revision.

Tracking konflux-ci/build-definitions on main makes this pipeline change behavior without any diff in this repo. Please pin revision to a commit SHA or immutable tag so failures are reproducible.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rapidast-integration-pipeline.yaml around lines 17 - 24, The
pipeline currently references the external task repo by mutable branch
("revision" value set to "main"); change the params.revision value to an
immutable identifier (commit SHA or immutable tag) to pin the resolver to a
fixed revision so the task at params.pathInRepo remains reproducible; update the
"revision" parameter in the resolver block (where resolver: git and params
include name: url, name: revision, name: pathInRepo) to the specific commit SHA
or tag and commit that change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 180-181: The oc port-forward invocation currently uses
--address=0.0.0.0 which exposes the forwarded port cluster-wide; change the
command that runs oc port-forward for svc/trex 8000:8000 to bind to localhost
only (use --address=127.0.0.1 or localhost) so the forwarded port is only
accessible from the pod/container loopback interface and not the entire cluster.
- Around line 193-218: The script currently enables shell xtrace with "set -ex",
which will leak the OCM token when the /tmp/ocm login --token=${OCM_TOKEN}
command is executed; modify the script to disable xtrace just before the login
(e.g., run "set +x"), perform the /tmp/ocm login --token=${OCM_TOKEN}, and then
re-enable xtrace if needed (e.g., "set -x") afterwards, so the token expansion
is not printed to CI logs while keeping tracing for other commands.
- Around line 251-255: The curl step that writes to LOCAL_OPENAPI_PATH currently
fetches openapi.yaml from the repository's main branch which can drift; change
the URL used by the curl command to a pinned, immutable reference (for example
replace the branch segment "main" with the repository commit hash or a release
tag) or alternatively fetch the OpenAPI spec from the same snapshot/artifact
that supplies the deployed image so the spec and deployed app revision are
identical; update the curl invocation that targets ${LOCAL_OPENAPI_PATH}
accordingly and ensure the chosen commit-hash/tag is recorded in the pipeline
inputs.
- Line 125: Update the operator-sdk invocation so it matches the deployment
script: change the `operator-sdk run bundle "$OO_BUNDLE" -n "$NAMESPACE"
--timeout=5m` call to include `--security-context-config restricted` and
increase the timeout to `--timeout=10m`; locate the line invoking `operator-sdk
run bundle` (references: OO_BUNDLE, NAMESPACE, operator-sdk run bundle) and add
the `--security-context-config restricted` flag and set `--timeout=10m`.

---

Nitpick comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 17-24: The pipeline currently references the external task repo by
mutable branch ("revision" value set to "main"); change the params.revision
value to an immutable identifier (commit SHA or immutable tag) to pin the
resolver to a fixed revision so the task at params.pathInRepo remains
reproducible; update the "revision" parameter in the resolver block (where
resolver: git and params include name: url, name: revision, name: pathInRepo) to
the specific commit SHA or tag and commit that change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: f1e4a896-99cc-4ab6-85a4-5c509335c12c

📥 Commits

Reviewing files that changed from the base of the PR and between 801a7bd and 77030b7.

📒 Files selected for processing (1)

• .tekton/rapidast-integration-pipeline.yaml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.tekton/rapidast-integration-pipeline.yaml (1)

134-139: ⚠️ Potential issue | 🟠 Major

CSV selection is still nondeterministic across multiple subscriptions.

The current query grabs the first installedCSV from all subscriptions in the namespace, which can resolve the wrong operator if more than one subscription exists. Filter by a known package/subscription identifier before waiting.

Suggested fix

-                CSV_NAME=$(oc get subscription -n "$NAMESPACE" -o jsonpath='{.items[*].status.installedCSV}' | awk '{print $1}' || true)
+                CSV_NAME=$(oc get subscription -n "$NAMESPACE" \
+                  -o jsonpath="{.items[?(@.spec.package=='multiarch-tuning-operator')].status.installedCSV}" \
+                  | awk '{print $1}' || true)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rapidast-integration-pipeline.yaml around lines 134 - 139, The CSV
selection loop is nondeterministic because it grabs the first installedCSV
across all subscriptions; update the oc query to target the specific
package/subscription instead of all items. Replace the oc get subscription
command used to set CSV_NAME with a targeted query such as using the
subscription name or package identifier (e.g. oc get subscription <SUB_NAME> -n
"$NAMESPACE" -o jsonpath='{.status.installedCSV}' or oc get subscription -n
"$NAMESPACE" -o
jsonpath='{.items[?(@.spec.name=="<PACKAGE_NAME>")].status.installedCSV}') so
CSV_NAME is derived only from the intended subscription; keep the CSV_NAME
variable, loop and check logic but use the targeted jsonpath or explicit
subscription name in the command.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 212-217: The pipeline currently reuses OCM_TOKEN as the target
application's auth credential in the RapiDAST authentication/Authorization
header; replace this by provisioning and referencing a dedicated app-scoped test
secret (e.g., APP_TEST_TOKEN) or remove/disable the auth block until the
operator exposes a real HTTP auth mechanism. Update the RapiDAST authentication
section and any Authorization header entries that reference OCM_TOKEN (including
the blocks around the current Authorization use and the blocks at the other
occurrences noted) to read from the new secret name (or omit the auth fields)
and ensure the secret is created/imported into the pipeline credentials instead
of reusing OCM_TOKEN.
- Around line 181-185: The pipeline hardcodes svc/trex (in the setup-test task's
oc port-forward call) which doesn't exist for this bundle; change the task to
accept parameters (e.g., TARGET_SERVICE, TARGET_PORT, TARGET_PATH) and use those
instead of svc/trex and hardcoded paths, and add a fail-fast check that queries
the cluster for the service (fail with a clear error if missing) before
attempting oc port-forward; update references in the same task and the other
occurrences mentioned (lines ~209-210 and ~230-236) so the flow uses
TARGET_SERVICE/TARGET_PORT/TARGET_PATH and validates existence prior to
port-forwarding or curl.

---

Duplicate comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 134-139: The CSV selection loop is nondeterministic because it
grabs the first installedCSV across all subscriptions; update the oc query to
target the specific package/subscription instead of all items. Replace the oc
get subscription command used to set CSV_NAME with a targeted query such as
using the subscription name or package identifier (e.g. oc get subscription
<SUB_NAME> -n "$NAMESPACE" -o jsonpath='{.status.installedCSV}' or oc get
subscription -n "$NAMESPACE" -o
jsonpath='{.items[?(@.spec.name=="<PACKAGE_NAME>")].status.installedCSV}') so
CSV_NAME is derived only from the intended subscription; keep the CSV_NAME
variable, loop and check logic but use the targeted jsonpath or explicit
subscription name in the command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cad1901a-4f6b-498b-afb5-62ec087e0958

📥 Commits

Reviewing files that changed from the base of the PR and between 77030b7 and c427988.

📒 Files selected for processing (1)

• .tekton/rapidast-integration-pipeline.yaml

[AnnaZivkovic]

/retest

[AnnaZivkovic]

/retest

[AnnaZivkovic]

/retest

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.tekton/rapidast-integration-pipeline.yaml (2)

135-140: ⚠️ Potential issue | 🟠 Major

Select the installed CSV by package/subscription, not by position.

Line 139 takes the first non-empty installedCSV from any Subscription in the namespace. If the environment ever contains more than one Subscription, oc wait can bind to the wrong CSV. Filter for the operator's package or the Subscription created by run bundle instead of awk '{print $1}'.

Possible fix

-                CSV_NAME=$(oc get subscription -n "$NAMESPACE" -o jsonpath='{.items[*].status.installedCSV}' | awk '{print $1}' || true)
+                CSV_NAME=$(oc get subscription -n "$NAMESPACE" \
+                  -o jsonpath="{.items[?(@.spec.package=='multiarch-tuning-operator')].status.installedCSV}" || true)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rapidast-integration-pipeline.yaml around lines 135 - 140, The loop
selects the first installedCSV from any Subscription (CSV_NAME) using awk, which
can pick the wrong CSV when multiple Subscriptions exist; change the oc get
subscription command to filter by the specific Subscription or package name
(e.g., use a known SUBSCRIPTION_NAME or the operator package and a jsonpath
filter like selecting
.items[?(@.spec.name=="<package-or-subscription-name>")].status.installedCSV)
instead of awk '{print $1}', so CSV_NAME is set to the installedCSV for the
intended Subscription before running oc wait.

---

182-186: ⚠️ Potential issue | 🔴 Critical

Replace the copied rh-trex/OCM flow before merging.

These lines are still wired to svc/trex, /api/rh-trex/v1/dinosaurs, and an OCM_TOKEN-backed Authorization header. The inline TODOs already call out that these are example values. As written, this task will either fail on the port-forward/auth probe or scan an endpoint unrelated to multiarch-tuning-operator. Parameterize the target service/port/path, fail fast if the Service is missing, and use an app-scoped auth flow—or remove auth entirely if this operator does not expose an HTTP API.

Also applies to: 213-236, 274-279

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rapidast-integration-pipeline.yaml around lines 182 - 186, The lines
that hardcode oc port-forward to svc/trex and the related probe against
/api/rh-trex/v1/dinosaurs (and use of OCM_TOKEN/Authorization) must be replaced:
parameterize the target service name, port and probe path (used by the oc
port-forward invocation and the HTTP probe), add a pre-check that the Service
exists and fail fast if not (before calling oc port-forward), and switch the
auth flow to an app-scoped token or remove the Authorization header if no HTTP
API is exposed; update occurrences of svc/trex, oc port-forward,
/api/rh-trex/v1/dinosaurs and OCM_TOKEN/Authorization in the task steps
(including the other regions noted) to use these parameters and the existence
check.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Line 48: Replace mutable image tags and runtime resolution with immutable,
verifiable artifacts: update all occurrences of the image reference
quay.io/konflux-ci/konflux-test:latest (and other :latest lines at the same
file) to pinned digest form (quay.io/konflux-ci/konflux-test@sha256:...) and
similarly pin any other tool/task images referenced in the pipeline; hardcode a
specific operator-sdk release instead of using releases/latest and add a
checksum verification step (e.g., compare downloaded operator-sdk binary SHA256
against a stored value) before use to ensure reproducible, tamper-resistant
execution.

---

Duplicate comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 135-140: The loop selects the first installedCSV from any
Subscription (CSV_NAME) using awk, which can pick the wrong CSV when multiple
Subscriptions exist; change the oc get subscription command to filter by the
specific Subscription or package name (e.g., use a known SUBSCRIPTION_NAME or
the operator package and a jsonpath filter like selecting
.items[?(@.spec.name=="<package-or-subscription-name>")].status.installedCSV)
instead of awk '{print $1}', so CSV_NAME is set to the installedCSV for the
intended Subscription before running oc wait.
- Around line 182-186: The lines that hardcode oc port-forward to svc/trex and
the related probe against /api/rh-trex/v1/dinosaurs (and use of
OCM_TOKEN/Authorization) must be replaced: parameterize the target service name,
port and probe path (used by the oc port-forward invocation and the HTTP probe),
add a pre-check that the Service exists and fail fast if not (before calling oc
port-forward), and switch the auth flow to an app-scoped token or remove the
Authorization header if no HTTP API is exposed; update occurrences of svc/trex,
oc port-forward, /api/rh-trex/v1/dinosaurs and OCM_TOKEN/Authorization in the
task steps (including the other regions noted) to use these parameters and the
existence check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 56c038bf-a628-46d3-b4c3-de8031bd58d3

📥 Commits

Reviewing files that changed from the base of the PR and between c427988 and 88384ff.

📒 Files selected for processing (1)

• .tekton/rapidast-integration-pipeline.yaml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

.tekton/rapidast-integration-pipeline.yaml (2)

227-240: ⚠️ Potential issue | 🔴 Critical

Replace the remaining rh-trex sample target and auth flow.

This task still scans the copied rh-trex example instead of this operator: it port-forwards svc/trex, calls /api/rh-trex/v1/dinosaurs, and forwards OCM_TOKEN as the app’s Authorization header. The bundle/CSV in this repo describe an operator with CRDs/webhooks and internal services, not that HTTP API, so this pipeline cannot produce a valid scan target as written.

Also applies to: 255-281, 320-324

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rapidast-integration-pipeline.yaml around lines 227 - 240, The
pipeline still targets the rh-trex example: replace the hardcoded port-forward
to svc/trex and the get-url step that calls /api/rh-trex/v1/dinosaurs and uses
OCM_TOKEN as the app Authorization; instead identify the actual service (or
remove port-forward if the operator has no external service) and update the oc
port-forward invocation, the HTTP endpoint the test step calls, and the
environment variable used for auth to match the operator’s real API or webhook
auth mechanism (update references to svc/trex, the port-forward command, the
get-url step, the /api/rh-trex/v1/dinosaurs path, and the OCM_TOKEN env usage).
Ensure every duplicated block (lines noted) is changed consistently.

---

48-48: ⚠️ Potential issue | 🟠 Major

Pin the remaining task images and operator-sdk download to immutable artifacts.

The pipeline still depends on mutable :latest tags and a runtime releases/latest lookup for operator-sdk. That keeps the task non-reproducible and makes failures depend on external changes instead of this PR.

#!/bin/bash
sed -n '1,350p' .tekton/rapidast-integration-pipeline.yaml \
  | rg -n ':(latest)\b|releases/latest'

Also applies to: 70-70, 93-93, 142-142, 156-158, 212-212, 234-234, 285-285

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rapidast-integration-pipeline.yaml at line 48, Replace mutable image
tags and the runtime operator-sdk "releases/latest" lookup with immutable
artifacts: change occurrences of quay.io/konflux-ci/konflux-test:latest (and the
other :latest images at the noted locations) to pinned image digests or specific
immutable tags, and change any operator-sdk download that uses "releases/latest"
to a fixed release URL or archive with a known version/sha (refer to the
operator-sdk download step and any step named or referencing operator-sdk in the
pipeline). Ensure each updated image reference and the operator-sdk URL use
explicit version/digest identifiers so the pipeline becomes reproducible.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 105-107: The script currently sets SA_NAME=$(oc whoami) but uses
${SA_NAME##*/} which doesn't strip the colon-delimited identity
(system:serviceaccount:<ns>:<name>), causing invalid --serviceaccount arguments
and silent failures; update the code that builds the RoleBinding to first parse
the service account name (e.g., extract the substring after the last ':' into
SA_NAME_SHORT or set SA_NAME=${SA_NAME##*:}) and use
--serviceaccount=${NAMESPACE}:${SA_NAME_SHORT}, and remove the trailing "|| echo
..." so the command fails fast; apply the same fix to the other identical block
that handles lines 134-138 (the RoleBinding creation logic).
- Around line 180-185: The loop that sets CSV_NAME currently grabs the first
installedCSV from any Subscription; change the oc get subscription command (the
CSV_NAME=... assignment inside the for loop) to select only the Subscription for
package "multiarch-tuning-operator" (e.g. use a jsonpath filter selecting
items[?(@.spec.name=='multiarch-tuning-operator')].status.installedCSV) so
CSV_NAME only reflects that operator's installedCSV instead of awk'ing the first
value from all subscriptions.

---

Duplicate comments:
In @.tekton/rapidast-integration-pipeline.yaml:
- Around line 227-240: The pipeline still targets the rh-trex example: replace
the hardcoded port-forward to svc/trex and the get-url step that calls
/api/rh-trex/v1/dinosaurs and uses OCM_TOKEN as the app Authorization; instead
identify the actual service (or remove port-forward if the operator has no
external service) and update the oc port-forward invocation, the HTTP endpoint
the test step calls, and the environment variable used for auth to match the
operator’s real API or webhook auth mechanism (update references to svc/trex,
the port-forward command, the get-url step, the /api/rh-trex/v1/dinosaurs path,
and the OCM_TOKEN env usage). Ensure every duplicated block (lines noted) is
changed consistently.
- Line 48: Replace mutable image tags and the runtime operator-sdk
"releases/latest" lookup with immutable artifacts: change occurrences of
quay.io/konflux-ci/konflux-test:latest (and the other :latest images at the
noted locations) to pinned image digests or specific immutable tags, and change
any operator-sdk download that uses "releases/latest" to a fixed release URL or
archive with a known version/sha (refer to the operator-sdk download step and
any step named or referencing operator-sdk in the pipeline). Ensure each updated
image reference and the operator-sdk URL use explicit version/digest identifiers
so the pipeline becomes reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 04ee6894-95d1-4d1a-991a-e35e76f47ded

📥 Commits

Reviewing files that changed from the base of the PR and between 88384ff and 41378ba.

📒 Files selected for processing (1)

• .tekton/rapidast-integration-pipeline.yaml

[Yadnyawalkya]

Not that we care much but there is typo in PR name, it should be - RapiDAST.

[openshift-ci]

@AnnaZivkovic: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp418-ci-index-multiarch-tuning-operator-bundle	d792107	link	true	/test ocp418-ci-index-multiarch-tuning-operator-bundle
ci/prow/ocp419-ci-index-multiarch-tuning-operator-bundle	d792107	link	true	/test ocp419-ci-index-multiarch-tuning-operator-bundle
ci/prow/ocp420-ci-index-multiarch-tuning-operator-bundle	d792107	link	true	/test ocp420-ci-index-multiarch-tuning-operator-bundle
ci/prow/ocp422-ci-index-multiarch-tuning-operator-bundle	d792107	link	true	/test ocp422-ci-index-multiarch-tuning-operator-bundle
ci/prow/ci-index-multiarch-tuning-operator-bundle	d792107	link	true	/test ci-index-multiarch-tuning-operator-bundle
ci/prow/ocp416-ci-index-multiarch-tuning-operator-bundle	d792107	link	true	/test ocp416-ci-index-multiarch-tuning-operator-bundle

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.