MULTIARCH-6035: Add release pre and final pipelineruns

[AnnaZivkovic]

Summary

Adds two Konflux Tekton Pipeline definitions under .tekton/ to automate pre-release snapshot checks and post-release FBC catalog updates for the operator release flow.

What’s added

snapshot-validation-pipeline

Runs before a release is cut. It takes the release snapshot as JSON, resolves the bundle image, pulls the bundle with Podman, locates the ClusterServiceVersion, reads the internal operator image from the multiarch.openshift.io/image annotation, and verifies that image’s SHA256 appears among the snapshot component images. Pipeline results expose VALIDATION_RESULT (PASS / FAIL) and INTERNAL_IMAGE. The validation step runs privileged so Podman can execute reliably on OpenShift; yq is installed from upstream (Go implementation) for consistent CSV parsing.

fbc-update-final-pipeline

Runs after release completion (intended as a final / post-release pipeline). It parses the snapshot for the multiarch-tuning-operator-bundle image and version, derives the released git commit and branch, tags the release commit on the source repo (with idempotent handling if the tag already exists), clones the FBC branch onto a shared workspace via the catalog git-clone task (workspace-based flow, not OCI-TA), runs hack/build-indexs.sh and hack/update-graph.sh with opm fetched from upstream, then commits catalog changes and pushes a branch and optionally opens a GitHub PR via gh when GITHUB_TOKEN is available. clone-fbc-branch is ordered after tag-release-commit so both paths do not contend on the same PVC concurrently.
Pipeline results surface VERSION, TAG_URL, and FBC_PR_URL (including sentinel values such as none when there is nothing to open or no URL was captured).

Parameters & integration notes

• fbc-update-final-pipeline: snapshot, release, optional git-url (default openshift/multiarch-tuning-operator), optional fbc-branch (default fbc). Requires workspace and optionally git-auth for clone/push.
• snapshot-validation-pipeline: snapshot, optional release (defaults to {}).
  Follow-up wiring (outside these YAML files) typically includes binding these pipelines in Release / ReleasePlan automation as validation and final pipelines, and ensuring git-auth / github-token secrets exist where the cluster expects them.

Summary by CodeRabbit

• New Features
  • Added an automated post-release pipeline that determines release VERSION, tags the release commit when appropriate, updates the catalog/index, and can open a PR for catalog changes; outputs VERSION, TAG_URL, and FBC_PR_URL.
  • Added a snapshot validation pipeline that verifies internal operator image digests against snapshot manifests and publishes VALIDATION_RESULT and INTERNAL_IMAGE.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds two Tekton Pipelines: fbc-update-final-pipeline (extracts VERSION and commit, optionally tags the release commit, updates an FBC branch with built index/graph data, and opens a PR) and snapshot-validation-pipeline (pulls a bundle, extracts CSV internal image SHA, and validates it against snapshot image SHAs).

Changes

FBC Update Final Pipeline

Layer / File(s)	Summary
Pipeline Declaration .tekton/fbc-update-final-pipeline.yaml	Adds fbc-update-final-pipeline with params snapshot, release, git-url, fbc-branch, and results VERSION, TAG_URL, FBC_PR_URL.
Snapshot Data Extraction .tekton/fbc-update-final-pipeline.yaml (extract-snapshot-name)	Parses snapshot to emit SNAPSHOT_NAME, BUNDLE_IMAGE, and determine VERSION (prefer vX.Y.Z in bundle image tag, else bundle component source.git.revision); fails if unresolved.
Release Commit Detection .tekton/fbc-update-final-pipeline.yaml (extract-release-commit)	Extracts GIT_COMMIT from operator component (fallback to first component) and GIT_BRANCH from snapshot annotation build.appstudio.redhat.com/target_branch (default main).
Git Tagging .tekton/fbc-update-final-pipeline.yaml (tag-release-commit)	Clones target repo@branch, verifies commit exists, conditionally creates/pushes annotated tag VERSION (skips if tag exists on a different commit), writes TAG_URL or none.
FBC Branch Checkout .tekton/fbc-update-final-pipeline.yaml (clone-fbc-branch)	Clones configured fbc-branch into workspace for catalog updates.
Catalog Update .tekton/fbc-update-final-pipeline.yaml (update-fbc-and-create-pr)	Installs latest opm, runs hack/build-indexs.sh with BUNDLE_IMAGE, runs hack/update-graph.sh with VERSION (leading v stripped), and prepares catalog index changes.
PR Creation .tekton/fbc-update-final-pipeline.yaml (update-fbc-and-create-pr)	If catalog changes exist, creates a timestamped branch, commits/pushes index changes, and uses gh pr create when GITHUB_TOKEN is present; writes FBC_PR_URL (none/unknown when applicable).

Snapshot Validation Pipeline

Layer / File(s)	Summary
Pipeline Declaration .tekton/snapshot-validation-pipeline.yaml	Adds snapshot-validation-pipeline with params snapshot and release (default "{}"), and results VALIDATION_RESULT, INTERNAL_IMAGE.
Validation Task & Tooling .tekton/snapshot-validation-pipeline.yaml (validate-snapshot taskSpec)	Embedded task accepts snapshot param, exposes results, and installs jq, podman, and the latest GitHub yq.
Snapshot Parsing & Image Selection .tekton/snapshot-validation-pipeline.yaml (script)	Parses snapshot JSON, selects bundle image for component multiarch-tuning-operator-bundle, failing early if missing.
Bundle Image Extraction .tekton/snapshot-validation-pipeline.yaml (script)	Pulls bundle image with podman, saves/extracts layers, locates first *.clusterserviceversion.yaml, failing if missing.
Internal Image SHA Extraction .tekton/snapshot-validation-pipeline.yaml (script)	Reads CSV annotation multiarch.openshift.io/image via yq, extracts internal operator sha256 digest, fails if absent/unparsable.
SHA Comparison & Validation Result .tekton/snapshot-validation-pipeline.yaml (script)	Collects snapshot component sha256 digests, compares to internal digest, writes PASS/FAIL and INTERNAL_IMAGE, exits non-zero on failure.
Cleanup .tekton/snapshot-validation-pipeline.yaml (script)	Removes temporary bundle artifacts before exit.

Sequence Diagrams

sequenceDiagram
    participant Pipeline as fbc-update-final-pipeline
    participant Snapshot as Snapshot JSON
    participant Git as Git Repository
    participant FBC as FBC Repository
    participant Catalog as Catalog Scripts
    participant GitHub as GitHub API

    Snapshot->>Pipeline: provide snapshot param
    Pipeline->>Snapshot: parse -> BUNDLE_IMAGE, VERSION, GIT_COMMIT, GIT_BRANCH
    Pipeline->>Git: clone repo@GIT_BRANCH and verify GIT_COMMIT
    Git-->>Pipeline: commit verified (or error)
    Pipeline->>Git: create/push annotated tag VERSION (if applicable)
    Git-->>Pipeline: return TAG_URL / none
    Pipeline->>FBC: clone fbc-branch
    Pipeline->>Catalog: run build-indexs.sh(BUNDLE_IMAGE) & update-graph.sh(VERSION)
    Catalog-->>Pipeline: updated index files
    Pipeline->>Git: create branch, commit, push changes
    Pipeline->>GitHub: create PR (if token present)
    GitHub-->>Pipeline: return FBC_PR_URL / unknown / none

Loading

sequenceDiagram
    participant Pipeline as snapshot-validation-pipeline
    participant Snapshot as Snapshot JSON
    participant Registry as Container Registry
    participant Bundle as Bundle Image
    participant CSV as ClusterServiceVersion

    Snapshot->>Pipeline: provide snapshot param
    Pipeline->>Snapshot: parse -> select bundle image
    Pipeline->>Registry: pull BUNDLE_IMAGE
    Registry-->>Pipeline: image layers (tar)
    Pipeline->>Bundle: extract layers, locate CSV
    Bundle-->>CSV: CSV YAML file
    Pipeline->>CSV: extract internal image annotation -> internal SHA256
    Pipeline->>Snapshot: collect snapshot component SHA256 digests
    Pipeline->>Pipeline: compare internal SHA with snapshot SHAs
    Pipeline-->>Pipeline: set VALIDATION_RESULT (PASS/FAIL) and INTERNAL_IMAGE

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'MULTIARCH-6035: Add release pre and final pipelineruns' accurately summarizes the main changes: adding two Tekton Pipeline definitions (snapshot-validation-pipeline and fbc-update-final-pipeline) for pre-release and post-release automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR adds Tekton Pipeline YAML definitions for CI/CD orchestration, not Ginkgo tests. No Ginkgo test definitions are present.
Test Structure And Quality	✅ Passed	PR adds only YAML configuration files, not Go test files, so Ginkgo test structure requirements are not applicable
Microshift Test Compatibility	✅ Passed	The pull request does not add any Ginkgo e2e tests. The files added are Tekton Pipeline definitions, which are infrastructure/CI configuration files written in YAML.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only Tekton Pipeline YAML definitions for CI/CD automation, not Ginkgo e2e tests. Since no such tests are present, the check is not applicable and passes.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds two Tekton Pipeline definitions that are CI/CD orchestration manifests with no topology-aware scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	This PR adds only YAML Tekton Pipeline configuration files without any executable Go binaries or process-level code that could violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any Ginkgo e2e tests. The changes consist only of Tekton Pipeline YAML definitions for CI/CD automation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign aleskandro for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@AnnaZivkovic: This pull request references MULTIARCH-6035 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Adds two Konflux Tekton Pipeline definitions under .tekton/ to automate pre-release snapshot checks and post-release FBC catalog updates for the operator release flow.

What’s added

snapshot-validation-pipeline

Runs before a release is cut. It takes the release snapshot as JSON, resolves the bundle image, pulls the bundle with Podman, locates the ClusterServiceVersion, reads the internal operator image from the multiarch.openshift.io/image annotation, and verifies that image’s SHA256 appears among the snapshot component images. Pipeline results expose VALIDATION_RESULT (PASS / FAIL) and INTERNAL_IMAGE. The validation step runs privileged so Podman can execute reliably on OpenShift; yq is installed from upstream (Go implementation) for consistent CSV parsing.

fbc-update-final-pipeline

Runs after release completion (intended as a final / post-release pipeline). It parses the snapshot for the multiarch-tuning-operator-bundle image and version, derives the released git commit and branch, tags the release commit on the source repo (with idempotent handling if the tag already exists), clones the FBC branch onto a shared workspace via the catalog git-clone task (workspace-based flow, not OCI-TA), runs hack/build-indexs.sh and hack/update-graph.sh with opm fetched from upstream, then commits catalog changes and pushes a branch and optionally opens a GitHub PR via gh when GITHUB_TOKEN is available. clone-fbc-branch is ordered after tag-release-commit so both paths do not contend on the same PVC concurrently.
Pipeline results surface VERSION, TAG_URL, and FBC_PR_URL (including sentinel values such as none when there is nothing to open or no URL was captured).

Parameters & integration notes

• fbc-update-final-pipeline: snapshot, release, optional git-url (default openshift/multiarch-tuning-operator), optional fbc-branch (default fbc). Requires workspace and optionally git-auth for clone/push.
• snapshot-validation-pipeline: snapshot, optional release (defaults to {}).
  Follow-up wiring (outside these YAML files) typically includes binding these pipelines in Release / ReleasePlan automation as validation and final pipelines, and ensuring git-auth / github-token secrets exist where the cluster expects them.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/fbc-update-final-pipeline.yaml:
- Around line 154-175: The task declares a workspace named basic-auth but the
create-and-push-tag step ignores it and hard-codes the github-token secret;
update the create-and-push-tag script to prefer credentials from the basic-auth
workspace when present (e.g., check for a token file, .git-credentials, or
.netrc inside $(workspaces.basic-auth.path) and export it to GITHUB_TOKEN or
configure git credential.helper) and only fall back to the github-token secret
if the workspace is not bound; modify the env or script logic in the
create-and-push-tag step so authentication is driven by the basic-auth workspace
contents (and keep the existing secret fallback for backward compatibility).
- Around line 83-90: The script currently falls back to writing "unknown" into
VERSION (variable VERSION, derived from BUNDLE_IMAGE and SNAPSHOT) which can be
propagated into git tags and catalog versions; instead, after attempting both
extraction methods (the VERSION assignment from BUNDLE_IMAGE and the SNAPSHOT jq
fallback) add a check that if VERSION is empty or equals "unknown" then print a
clear error (e.g., to stderr) and exit non‑zero (fail fast) rather than echoing
and writing the result to $(results.VERSION.path); update the block around
VERSION assignment/echo to perform this validation and exit on failure so a
digest‑only snapshot cannot create an "unknown" release.
- Around line 126-137: The GIT_BRANCH variable is being populated from
non-branch fields causing git clone --branch to fail; update the logic that sets
GIT_BRANCH (the earlier jq extraction and the fallback blocks that reference
metadata.labels["appstudio.openshift.io/component"] and
spec.components[].source.git.context) to only read
metadata.annotations["build.appstudio.redhat.com/target_branch"] and, if that
annotation is empty or null, fall back to a safe default like "main" before the
git clone step; keep references to the GIT_BRANCH variable and the existing
defaulting to "main" but remove the label and component-source fallbacks so only
the target_branch annotation is used.

In @.tekton/snapshot-validation-pipeline.yaml:
- Around line 141-165: The pipeline fails when multiarch.openshift.io/image
(captured into INTERNAL_IMAGE) is a tag rather than a digest because
INTERNAL_SHA is extracted with grep for sha256; change the validation to detect
if INTERNAL_IMAGE contains "sha256:" and if not, resolve the tag to its digest
(e.g., via an image registry lookup tool) and set INTERNAL_IMAGE and
INTERNAL_SHA from that resolved digest before the sha extraction/validation;
alternatively ensure the bundle build writes a digest-pinned reference into the
CSV so INTERNAL_IMAGE already contains the sha—update the logic around
INTERNAL_IMAGE and INTERNAL_SHA to handle both cases and write the resolved
value to $(results.INTERNAL_IMAGE.path).
- Around line 119-129: The extraction loop using the glob "$BUNDLE_DIR"/*.tar
misses layers in docker-archive and oci-archive layouts; update the loop that
iterates over layer_tar (and the surrounding comments) to use a recursive find
(e.g., find "$BUNDLE_DIR" -type f -name "layer.tar" -o -name "*.tar") so it
collects layer files anywhere under BUNDLE_DIR, then iterate over those paths
and tar -xf each into "$BUNDLE_DIR"; this change touches the extraction loop
that references BUNDLE_DIR and should preserve the subsequent CSV_FILE discovery
that uses find "$BUNDLE_DIR" -name "*.clusterserviceversion.yaml".
- Around line 157-172: The command substitutions that set INTERNAL_SHA and
SNAPSHOT_SHAS use grep -oP which can return non-zero and, under set -e, abort
the step before your explicit FAIL handling; fix by making the grep invocations
safe (e.g., change the assignments for INTERNAL_SHA and SNAPSHOT_SHAS to use
grep ... || true or grep ... || echo "" so the substitution never returns a
non-zero status) or temporarily disable errexit around those lines (set +e; ...;
set -e). Update the assignments that reference INTERNAL_IMAGE and IMAGES (the
lines that create INTERNAL_SHA and SNAPSHOT_SHAS) to use one of those safe
patterns so the subsequent explicit empty-check/FAIL logic runs reliably.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f9302e08-867e-4f49-803d-e20b2d5a536d

📥 Commits

Reviewing files that changed from the base of the PR and between 332ca44 and 5842fe9.

📒 Files selected for processing (2)

• .tekton/fbc-update-final-pipeline.yaml
• .tekton/snapshot-validation-pipeline.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n -C2 'multiarch\.openshift\.io/image' bundle config hack .tekton

Repository: openshift/multiarch-tuning-operator

Length of output: 3933

---

🏁 Script executed:

#!/bin/bash
# Check if there's any tag-to-digest conversion in the build process
rg -i 'sha256|digest' bundle hack .tekton --type yaml --type sh -A 2 -B 2 | head -100

Repository: openshift/multiarch-tuning-operator

Length of output: 7176

---

🏁 Script executed:

#!/bin/bash
# Check the complete validation logic in the pipeline to see if there's any handling for tags
cat .tekton/snapshot-validation-pipeline.yaml | sed -n '135,180p'

Repository: openshift/multiarch-tuning-operator

Length of output: 1929

---

Validation fails on tag-based images; requires digest-pinned images in CSV annotation.

The pipeline assumes the multiarch.openshift.io/image annotation is digest-pinned (format: registry/repo@sha256:...), but the CSV currently sets it to a tag (registry.ci.openshift.org/origin/multiarch-tuning-operator:main). The SHA256 extraction at line 157 using grep -oP 'sha256:\K[a-f0-9]{64}' will fail and the task will exit with error "Could not extract SHA256 from internal image" on every snapshot validation.

Either the bundle build must convert the tag to a digest before the CSV is generated, or the validation script must handle tag-based images by resolving them to their digest.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/snapshot-validation-pipeline.yaml around lines 141 - 165, The
pipeline fails when multiarch.openshift.io/image (captured into INTERNAL_IMAGE)
is a tag rather than a digest because INTERNAL_SHA is extracted with grep for
sha256; change the validation to detect if INTERNAL_IMAGE contains "sha256:" and
if not, resolve the tag to its digest (e.g., via an image registry lookup tool)
and set INTERNAL_IMAGE and INTERNAL_SHA from that resolved digest before the sha
extraction/validation; alternatively ensure the bundle build writes a
digest-pinned reference into the CSV so INTERNAL_IMAGE already contains the
sha—update the logic around INTERNAL_IMAGE and INTERNAL_SHA to handle both cases
and write the resolved value to $(results.INTERNAL_IMAGE.path).

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (2)

.tekton/snapshot-validation-pipeline.yaml (1)

155-163: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

This validator still rejects tag-based internal image references.

The logic only succeeds when multiarch.openshift.io/image already contains @sha256:.... Any bundle that still emits a tag here fails before the actual snapshot comparison runs. Resolve the tag to a digest before extracting INTERNAL_SHA, or ensure bundle generation always writes a digest-pinned reference.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/snapshot-validation-pipeline.yaml around lines 155 - 163, The
validator currently fails when INTERNAL_IMAGE is a tag because INTERNAL_SHA is
only extracted from a digest string; update the script before the INTERNAL_SHA
extraction to resolve tag references to a digest (e.g., call a registry/digest
resolver such as skopeo/crane/podman to get the image digest and rewrite
INTERNAL_IMAGE to image@sha256:<digest> when no sha present) and then run the
existing grep on INTERNAL_IMAGE; specifically modify the block that sets
INTERNAL_SHA / reads INTERNAL_IMAGE so that if INTERNAL_IMAGE does not contain
"@sha256:" you perform a digest lookup (using a tool like skopeo inspect or
crane digest), replace INTERNAL_IMAGE with the digest-pinned form, then extract
INTERNAL_SHA as currently done.

.tekton/fbc-update-final-pipeline.yaml (1)

429-455: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

create-pr still doesn’t use the declared basic-auth workspace for git push.

This task advertises basic-auth, but unlike tag-release-commit it never configures git from that workspace before pushing PR_BRANCH. GITHUB_TOKEN only helps gh pr create; it does not authenticate git push. A run that binds only git-auth can still fail here.

Also applies to: 490-492

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/fbc-update-final-pipeline.yaml around lines 429 - 455, The
commit-and-push step advertises the basic-auth workspace but never configures
git to use it before pushing PR_BRANCH (commit-and-push step, env GITHUB_TOKEN,
workspace basic-auth, params FBC_BRANCH/PR_BRANCH); update the commit-and-push
step to detect and consume credentials from $(workspaces.basic-auth.path) (e.g.,
a .git-credentials or credential file), configure git credential helper to use
that file or set an appropriate GIT_ASKPASS/GIT_CREDENTIAL_HELPER so that git
push is authenticated, and fall back to GITHUB_TOKEN/gh only for gh pr
create—mirror the approach used in tag-release-commit to ensure pushes succeed
when only basic-auth is provided.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/fbc-update-final-pipeline.yaml:
- Around line 124-127: The fallback currently reads the revision from
.spec.components[0] which can pick the wrong component; change the jq selection
so GIT_COMMIT is set from the component named "bundle" instead of index 0 (e.g.
use .spec.components[] | select(.name=="bundle") | .source.git.revision) and
keep the existing || echo "" fallback so GIT_COMMIT stays empty when no bundle
component exists; update the assignment that sets GIT_COMMIT from SNAPSHOT
accordingly.
- Around line 349-355: Detect the runner architecture (e.g., capture uname -m
into ARCH_RAW), map common uname outputs to the expected release asset suffix
(e.g., x86_64 -> amd64, aarch64 -> arm64, armv7l -> arm) and build the opm
download name using that mapped value (replace the hardcoded linux-amd64-opm in
the curl command that uses OPM_VERSION). Update the chmod/curl usage to use the
constructed filename variable and apply the same mapping approach to the yq
download (replace yq_linux_amd64 with a dynamically constructed
yq_linux_${ARCH}). Ensure you reference the variables used in the diff
(OPM_VERSION and the curl download line) and reuse the mapping logic for both
opm and yq downloads so non-amd64 workers get the correct binary.

In @.tekton/snapshot-validation-pipeline.yaml:
- Around line 59-64: The install step currently hard-codes the amd64 asset
(yq_linux_amd64) causing exec format errors on non-amd64 runners; modify the
block that sets YQ_VERSION and performs the curl download to detect the host
architecture (use uname -m), map common values (e.g., x86_64 -> amd64,
aarch64/arm64 -> arm64, armv7l -> arm) into a YQ_ARCH variable, and replace the
fixed filename with the computed "yq_linux_${YQ_ARCH}" asset when building the
download URL so the correct binary for the runner is fetched.

---

Duplicate comments:
In @.tekton/fbc-update-final-pipeline.yaml:
- Around line 429-455: The commit-and-push step advertises the basic-auth
workspace but never configures git to use it before pushing PR_BRANCH
(commit-and-push step, env GITHUB_TOKEN, workspace basic-auth, params
FBC_BRANCH/PR_BRANCH); update the commit-and-push step to detect and consume
credentials from $(workspaces.basic-auth.path) (e.g., a .git-credentials or
credential file), configure git credential helper to use that file or set an
appropriate GIT_ASKPASS/GIT_CREDENTIAL_HELPER so that git push is authenticated,
and fall back to GITHUB_TOKEN/gh only for gh pr create—mirror the approach used
in tag-release-commit to ensure pushes succeed when only basic-auth is provided.

In @.tekton/snapshot-validation-pipeline.yaml:
- Around line 155-163: The validator currently fails when INTERNAL_IMAGE is a
tag because INTERNAL_SHA is only extracted from a digest string; update the
script before the INTERNAL_SHA extraction to resolve tag references to a digest
(e.g., call a registry/digest resolver such as skopeo/crane/podman to get the
image digest and rewrite INTERNAL_IMAGE to image@sha256:<digest> when no sha
present) and then run the existing grep on INTERNAL_IMAGE; specifically modify
the block that sets INTERNAL_SHA / reads INTERNAL_IMAGE so that if
INTERNAL_IMAGE does not contain "@sha256:" you perform a digest lookup (using a
tool like skopeo inspect or crane digest), replace INTERNAL_IMAGE with the
digest-pinned form, then extract INTERNAL_SHA as currently done.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 676c8e5a-501f-4342-b5c9-20e9e2bd73df

📥 Commits

Reviewing files that changed from the base of the PR and between 5842fe9 and d0fc60b.

📒 Files selected for processing (2)

• .tekton/fbc-update-final-pipeline.yaml
• .tekton/snapshot-validation-pipeline.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the pipeline currently pins an amd64-only opm binary.
sed -n '349,355p' .tekton/fbc-update-final-pipeline.yaml

Repository: openshift/multiarch-tuning-operator

Length of output: 567

---

🏁 Script executed:

# Check the context of this pipeline and project architecture support
head -50 .tekton/fbc-update-final-pipeline.yaml

Repository: openshift/multiarch-tuning-operator

Length of output: 1647

---

🏁 Script executed:

# Search for other architecture-specific asset downloads or architecture handling
rg "linux-(amd64|arm64|ppc64le|s390x)" .tekton/ || echo "No other arch-specific downloads found"

Repository: openshift/multiarch-tuning-operator

Length of output: 269

---

🏁 Script executed:

# Check if there's any architecture detection logic elsewhere in the pipeline
rg -i "architecture|arch|amd64|arm64|runtime.*arch|uname.*m" .tekton/ | head -20

Repository: openshift/multiarch-tuning-operator

Length of output: 3001

---

🏁 Script executed:

# Look for multiarch or multiplatform references in project files
rg -i "multiarch|multi-arch|multiplatform|multi-platform" . --max-count=20 2>/dev/null | grep -v ".git"

Repository: openshift/multiarch-tuning-operator

Length of output: 50391

---

Fix hardcoded amd64 architecture in binary downloads.

The pipeline hardcodes linux-amd64-opm downloads, which breaks on non-amd64 workers. Detect the runtime architecture using uname -m or similar and construct the download URL dynamically (e.g., linux-${ARCH}-opm where ARCH is mapped from uname -m output).

Note: A similar issue exists with yq_linux_amd64 in .tekton/snapshot-validation-pipeline.yaml and should be fixed together.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/fbc-update-final-pipeline.yaml around lines 349 - 355, Detect the
runner architecture (e.g., capture uname -m into ARCH_RAW), map common uname
outputs to the expected release asset suffix (e.g., x86_64 -> amd64, aarch64 ->
arm64, armv7l -> arm) and build the opm download name using that mapped value
(replace the hardcoded linux-amd64-opm in the curl command that uses
OPM_VERSION). Update the chmod/curl usage to use the constructed filename
variable and apply the same mapping approach to the yq download (replace
yq_linux_amd64 with a dynamically constructed yq_linux_${ARCH}). Ensure you
reference the variables used in the diff (OPM_VERSION and the curl download
line) and reuse the mapping logic for both opm and yq downloads so non-amd64
workers get the correct binary.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the pipeline currently pins an amd64-only yq binary.
sed -n '59,64p' .tekton/snapshot-validation-pipeline.yaml

Repository: openshift/multiarch-tuning-operator

Length of output: 532

---

🏁 Script executed:

#!/bin/bash
# Check for other architecture-specific references in the pipeline file
rg -n "amd64|x86_64|arm64|ppc64|s390x" .tekton/snapshot-validation-pipeline.yaml

# Also check the overall structure of the pipeline to understand its scope
wc -l .tekton/snapshot-validation-pipeline.yaml

Repository: openshift/multiarch-tuning-operator

Length of output: 252

---

Don't hard-code the amd64 yq asset.

This step always downloads yq_linux_amd64, so it will fail with exec format error on any non-amd64 worker. Detect the node architecture using uname -m and download the corresponding release asset, or use a package/source that matches the system architecture.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/snapshot-validation-pipeline.yaml around lines 59 - 64, The install
step currently hard-codes the amd64 asset (yq_linux_amd64) causing exec format
errors on non-amd64 runners; modify the block that sets YQ_VERSION and performs
the curl download to detect the host architecture (use uname -m), map common
values (e.g., x86_64 -> amd64, aarch64/arm64 -> arm64, armv7l -> arm) into a
YQ_ARCH variable, and replace the fixed filename with the computed
"yq_linux_${YQ_ARCH}" asset when building the download URL so the correct binary
for the runner is fetched.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

.tekton/fbc-update-final-pipeline.yaml (3)

332-338: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't hardcode an amd64-only opm download.

This step always pulls linux-amd64-opm, so it will break on any non-amd64 worker. Please derive the release asset suffix from uname -m and build the download URL from that value instead of hardcoding the architecture.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/fbc-update-final-pipeline.yaml around lines 332 - 338, The download
currently hardcodes linux-amd64-opm; detect the host architecture (use uname -m)
and map it to the operator-registry release suffix (e.g. x86_64 -> amd64,
aarch64 -> arm64, armv7l -> arm) into a variable (refer to OPM_VERSION and the
curl download line that writes to /usr/local/bin/opm), then construct the URL
using that arch variable (e.g. linux-${OPM_ARCH}-opm) before curl and chmod;
include a sensible default/fallback and fail-fast error handling if the
architecture is unsupported.

---

155-161: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Expose git-auth as a workspace instead of relying on a secret name.

Both clone/push paths are hard-wired to github-token, and the pipeline never declares an optional credentials workspace. That makes this pipeline impossible to bind with the documented Tekton workspace credential flow (.git-credentials, .netrc, SSH material) and couples it to one cluster-local secret name instead. Pipelines need to declare optional workspaces themselves, then map them into the task workspaces they consume at runtime. (tekton.dev)

Also applies to: 188-194, 299-312, 401-406

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/fbc-update-final-pipeline.yaml around lines 155 - 161, Replace the
hard-coded secretKeyRef for GITHUB_TOKEN with an optional workspace-based
credential flow: add an optional pipeline/workspace named git-auth to the
pipeline spec, update tasks that require Git credentials to accept a workspace
(e.g., the tasks that currently set env GITHUB_TOKEN from secretKeyRef
github-token), and in those taskBindings map the pipelineWorkspace git-auth into
the task workspace so the task can mount credentials (e.g., .git-credentials,
.netrc, or SSH keys) at runtime; do the same replacement for the other
occurrences that still reference secretKeyRef name github-token so all
clone/push paths use the git-auth workspace instead of a cluster-local secret.

---

117-120: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't fall back to .spec.components[0] for the release commit.

Line 119 can tag whichever component happens to be first in the snapshot. If the operator component is absent or reordered, this pipeline can create the release tag on an unrelated commit. Fall back to the bundle component by name, or fail fast instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/fbc-update-final-pipeline.yaml around lines 117 - 120, Do not
default to the first component in SNAPSHOT; instead extract the git revision
from the bundle component by name (e.g., query SNAPSHOT for .spec.components[] |
select(.name=="bundle").source.git.revision) and assign that to GIT_COMMIT, and
if that named component is not present or the revision is empty, fail fast (exit
non-zero) rather than falling back to .spec.components[0].source.git.revision;
update the logic that sets GIT_COMMIT to reference the component-by-name lookup
and add a clear error/exit when missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/fbc-update-final-pipeline.yaml:
- Around line 276-284: Remove the entire workspaces block from the PipelineTask
(the inline "workspaces:" with "volumeClaimTemplate") because
PipelineTask.workspaces does not accept volumeClaimTemplate and the inline
taskSpec has no matching workspace; if persistent storage is actually required,
instead add a workspace declaration to the taskSpec (taskSpec.workspaces) and
map it using a workspace binding (not volumeClaimTemplate) in this PipelineTask,
and then place the volumeClaimTemplate under PipelineRun.spec.workspaces to
create the PVC. Ensure the PipelineTask uses a "workspaces:" mapping (name ->
workspace) that matches the taskSpec workspace name, or simply delete the shown
workspaces block if no workspace is needed.

---

Duplicate comments:
In @.tekton/fbc-update-final-pipeline.yaml:
- Around line 332-338: The download currently hardcodes linux-amd64-opm; detect
the host architecture (use uname -m) and map it to the operator-registry release
suffix (e.g. x86_64 -> amd64, aarch64 -> arm64, armv7l -> arm) into a variable
(refer to OPM_VERSION and the curl download line that writes to
/usr/local/bin/opm), then construct the URL using that arch variable (e.g.
linux-${OPM_ARCH}-opm) before curl and chmod; include a sensible
default/fallback and fail-fast error handling if the architecture is
unsupported.
- Around line 155-161: Replace the hard-coded secretKeyRef for GITHUB_TOKEN with
an optional workspace-based credential flow: add an optional pipeline/workspace
named git-auth to the pipeline spec, update tasks that require Git credentials
to accept a workspace (e.g., the tasks that currently set env GITHUB_TOKEN from
secretKeyRef github-token), and in those taskBindings map the pipelineWorkspace
git-auth into the task workspace so the task can mount credentials (e.g.,
.git-credentials, .netrc, or SSH keys) at runtime; do the same replacement for
the other occurrences that still reference secretKeyRef name github-token so all
clone/push paths use the git-auth workspace instead of a cluster-local secret.
- Around line 117-120: Do not default to the first component in SNAPSHOT;
instead extract the git revision from the bundle component by name (e.g., query
SNAPSHOT for .spec.components[] | select(.name=="bundle").source.git.revision)
and assign that to GIT_COMMIT, and if that named component is not present or the
revision is empty, fail fast (exit non-zero) rather than falling back to
.spec.components[0].source.git.revision; update the logic that sets GIT_COMMIT
to reference the component-by-name lookup and add a clear error/exit when
missing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 52fafd6d-d531-4bec-acf4-1e8b882b908d

📥 Commits

Reviewing files that changed from the base of the PR and between 9613979 and 73cf59d.

📒 Files selected for processing (2)

• .tekton/fbc-update-final-pipeline.yaml
• .tekton/snapshot-validation-pipeline.yaml

✅ Files skipped from review due to trivial changes (1)

• .tekton/snapshot-validation-pipeline.yaml

[red-hat-konflux]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
fbc-update-final-pipeline.yaml	yaml validation error: line 400: could not find expected ':'

[openshift-ci]

@AnnaZivkovic: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.