Skip to content

add cli-stack for binary distribution#3195

Open
sampras343 wants to merge 2 commits intoconforma:release-v0.8from
sampras343:cli-stack
Open

add cli-stack for binary distribution#3195
sampras343 wants to merge 2 commits intoconforma:release-v0.8from
sampras343:cli-stack

Conversation

@sampras343
Copy link

@sampras343 sampras343 commented Mar 25, 2026

Add cli-stack for binary aggregation into a single image and distribution to developers portal

@coderabbitai
Copy link

coderabbitai bot commented Mar 25, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ad95382-a60f-4d6f-a335-8c0ca77c2b03

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Mar 25, 2026 

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Review Summary by Qodo

Add CLI stack for multi-architecture binary distribution

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Add multi-architecture CLI binary distribution image
• Create Tekton pipeline configurations for PR and push events
• Aggregate pre-built binaries from multiple architectures into single image
• Support Linux, Darwin, and Windows platforms across architectures
Diagram 
flowchart LR
  A["Per-arch CLI builds<br/>amd64, arm64, ppc64le, s390x"] -->|"Extract binaries"| B["Packager stage<br/>decompress and repackage"]
  B -->|"Collect all binaries"| C["Minimal UBI9 image<br/>with all tar.gz archives"]
  D["Tekton PR Pipeline<br/>conforma-cli-stack-pull-request.yaml"] -->|"Builds on PR"| C
  E["Tekton Push Pipeline<br/>conforma-cli-stack-push.yaml"] -->|"Builds on push"| C
  C -->|"Distributes to"| F["quay.io registry<br/>for developer access"]
Loading

Grey Divider

File Changes

1. Dockerfile.cli-stack.rh ✨ Enhancement +68/-0

Multi-arch CLI binary aggregation Dockerfile

• Multi-stage Dockerfile that aggregates pre-built CLI binaries from four architectures
• Extracts and repackages Linux binaries for amd64, arm64, ppc64le, and s390x
• Includes cross-compiled Darwin and Windows binaries from amd64 build
• Creates minimal UBI9-based final image containing all binaries as tar.gz archives

Dockerfile.cli-stack.rh

2. .tekton/conforma-cli-stack-pull-request.yaml ⚙️ Configuration changes +54/-0

Tekton pipeline for CLI stack PR builds

• New Tekton PipelineRun configuration for pull request events on release-v0.8 branch
• Configures docker-build-oci-ta pipeline with Dockerfile.cli-stack.rh
• Sets output image to quay.io/securesign/conforma-cli-stack:on-pr-{{revision}}
• Enables hermetic builds and source image generation with 5-day expiration

.tekton/conforma-cli-stack-pull-request.yaml

3. .tekton/conforma-cli-stack-push.yaml ⚙️ Configuration changes +51/-0

Tekton pipeline for CLI stack push builds

• New Tekton PipelineRun configuration for push events on release-v0.8 branch
• Configures docker-build-oci-ta pipeline with Dockerfile.cli-stack.rh
• Sets output image to quay.io/securesign/conforma-cli-stack:{{revision}}
• Enables hermetic builds and source image generation for release builds

.tekton/conforma-cli-stack-push.yaml

View more (1)
4. .tekton/cli-v08-push.yaml ⚙️ Configuration changes +1/-0

Add nudge annotation for CLI stack Dockerfile

• Adds build-nudge-files annotation referencing Dockerfile.cli-stack.rh
• Enables Konflux nudge mechanism to manage per-architecture digest updates

.tekton/cli-v08-push.yaml

Grey Divider

Qodo Logo

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Mar 25, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (5) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

Grey Divider


Action required

1. Unbuildable digest placeholders 🐞 Bug ✓ Correctness
Description 
Dockerfile.cli-stack.rh uses invalid image digests (sha256:REPLACE_*) in its FROM ...@sha256:
references, so builds of the cli-stack image will fail immediately when this Dockerfile is used by
the new PipelineRuns.
Code

Dockerfile.cli-stack.rh[R3-6]

+FROM --platform=linux/amd64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_AMD64 AS build-amd64
+FROM --platform=linux/arm64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_ARM64 AS build-arm64
+FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_PPC64LE AS build-ppc64le
+FROM --platform=linux/s390x   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_S390X AS build-s390x
Evidence 
The Dockerfile’s base-image references are not valid sha256 digests (must be 64 hex chars), and both
new PipelineRuns explicitly build with this Dockerfile, so the pipeline will attempt to build an
unbuildable Dockerfile.

Dockerfile.cli-stack.rh[1-6]
.tekton/conforma-cli-stack-push.yaml[19-35]
.tekton/conforma-cli-stack-pull-request.yaml[20-38]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`Dockerfile.cli-stack.rh` cannot be built because its `FROM ...@sha256:` values are placeholders (`REPLACE_*`). The new cli-stack Tekton PipelineRuns reference this Dockerfile, so they will fail at build time.

### Issue Context
The file comment mentions Konflux nudging, but until nudging populates real digests, any run that tries to build this Dockerfile will fail.

### Fix Focus Areas
- Dockerfile.cli-stack.rh[1-6]
- .tekton/conforma-cli-stack-push.yaml[19-35]
- .tekton/conforma-cli-stack-pull-request.yaml[20-38]

### What to change
- Replace `sha256:REPLACE_*` with real per-arch digests (initial seed), OR switch to a buildable reference (e.g., a tag) until nudging is in place.
- Ensure the cli-stack pipelines do not run (or are gated) until the digests are populated.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Unknown release-version param 🐞 Bug ✓ Correctness
Description 
The new cli-stack PipelineRuns set a release-version parameter, but this repository’s existing
docker-build-oci-ta pipeline spec (used for cli-v08) does not define that parameter, which can
cause Tekton to reject the PipelineRun due to an undeclared param.
Code

.tekton/conforma-cli-stack-push.yaml[R20-22]

+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile
Evidence 
In the repo’s inlined docker-build-oci-ta pipeline spec, the declared params list does not include
release-version. The new PipelineRuns add release-version, creating a mismatch against the known
pipeline interface in this repo.

.tekton/conforma-cli-stack-push.yaml[19-23]
.tekton/conforma-cli-stack-pull-request.yaml[20-24]
.tekton/cli-v08-push.yaml[50-116]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The new PipelineRuns pass `release-version`, but the repo’s `docker-build-oci-ta` pipeline interface (as represented by the existing inlined spec) doesn’t declare it. Tekton commonly errors when a PipelineRun supplies params not declared by the Pipeline.

### Issue Context
Existing `cli-v08` PipelineRuns use an inlined `docker-build-oci-ta` spec whose params are visible in-repo and do not include `release-version`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[19-23]
- .tekton/conforma-cli-stack-pull-request.yaml[20-24]
- .tekton/cli-v08-push.yaml[50-116]

### What to change
- Remove the `release-version` param from both cli-stack PipelineRuns if it is unused.
- Alternatively, ensure the referenced pipeline actually declares `release-version` (and pin to that revision), and keep the param only if the pipeline consumes it.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

3. Git-url template mismatch 🐞 Bug ⛯ Reliability
Description 
The new cli-stack PipelineRuns use {{repo_url}} for git-url, while the existing repo
PipelineRuns use {{source_url}}, risking failed template substitution and a broken clone step for
cli-stack builds.
Code

.tekton/conforma-cli-stack-push.yaml[R24-25]

+  - name: git-url
+    value: '{{repo_url}}'
Evidence 
Within this repo, git-url is populated using {{source_url}} in existing Pipelines-as-Code
PipelineRuns. The new files are the only ones using {{repo_url}}, so they may not receive a
substituted URL under the same PaC configuration.

.tekton/conforma-cli-stack-push.yaml[23-31]
.tekton/conforma-cli-stack-pull-request.yaml[23-35]
.tekton/cli-v08-push.yaml[20-26]
.tekton/cli-v08-pull-request.yaml[20-26]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
cli-stack PipelineRuns use a different PaC template variable for `git-url` than the existing, working pipelines in this repo.

### Issue Context
`cli-v08` PipelineRuns set `git-url` to `{{source_url}}`, while cli-stack uses `{{repo_url}}`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[23-26]
- .tekton/conforma-cli-stack-pull-request.yaml[23-27]
- .tekton/cli-v08-push.yaml[20-23]
- .tekton/cli-v08-pull-request.yaml[20-23]

### What to change
- Switch cli-stack PipelineRuns to use `{{source_url}}` (or whichever variable is actually provided in your PaC setup) consistently across all PipelineRuns.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

4. Unpinned pipelineRef revision 🐞 Bug ⛨ Security
Description 
The new cli-stack PipelineRuns resolve their build pipeline from securesign/pipelines.git at
revision: main, making the CI behavior non-reproducible and vulnerable to upstream changes
breaking builds or changing the build process unexpectedly.
Code

.tekton/conforma-cli-stack-push.yaml[R36-44]

+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git
Evidence 
Both new PipelineRuns reference a moving git branch (main) for the pipeline definition. In
contrast, the existing in-repo pipeline spec pins task bundles by digest, which is reproducible.

.tekton/conforma-cli-stack-push.yaml[36-44]
.tekton/conforma-cli-stack-pull-request.yaml[39-47]
.tekton/cli-v08-push.yaml[131-165]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Using `revision: main` for a git-resolved pipeline makes builds non-deterministic.

### Issue Context
The cli-stack PipelineRuns resolve the pipeline from git; the existing pipeline in this repo pins referenced bundles by digest.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[36-44]
- .tekton/conforma-cli-stack-pull-request.yaml[39-47]

### What to change
- Pin `pipelineRef.params.revision` to an immutable git commit SHA (or a signed/tagged immutable ref), and update it intentionally when you want pipeline changes.
- Optionally prefer a Tekton bundle reference pinned by digest if that’s the repo standard.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

5. Missing SA/namespace definitions 🐞 Bug ⛯ Reliability
Description 
The new PipelineRuns target namespace: rhtas-tenant and `serviceAccountName:
build-pipeline-conforma-cli-stack`, but this repo contains no other references/manifests for that
namespace/service account, so these PipelineRuns are likely to fail in environments where those
resources are not pre-provisioned.
Code

.tekton/conforma-cli-stack-push.yaml[46]

+    serviceAccountName: build-pipeline-conforma-cli-stack
Evidence 
Existing PipelineRuns in this repo are configured for rhtap-contract-tenant and a different
service account (build-pipeline-cli-v08). The cli-stack files introduce a new namespace/SA pair
not used elsewhere in the repository.

.tekton/conforma-cli-stack-push.yaml[16-18]
.tekton/conforma-cli-stack-push.yaml[45-47]
.tekton/conforma-cli-stack-pull-request.yaml[17-19]
.tekton/conforma-cli-stack-pull-request.yaml[48-50]
.tekton/cli-v08-push.yaml[17-19]
.tekton/cli-v08-push.yaml[534-536]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The new PipelineRuns assume a namespace and service account that are not referenced anywhere else in this repo.

### Issue Context
Other PipelineRuns use `rhtap-contract-tenant` and `build-pipeline-cli-v08`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[16-18]
- .tekton/conforma-cli-stack-push.yaml[45-47]
- .tekton/conforma-cli-stack-pull-request.yaml[17-19]
- .tekton/conforma-cli-stack-pull-request.yaml[48-50]

### What to change
- Either update cli-stack PipelineRuns to use the existing namespace/SA conventions used by the repo, OR
- Add (or reference) the manifests/docs that provision `rhtas-tenant` and `build-pipeline-conforma-cli-stack` so this configuration is deployable and testable.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@sampras343 sampras343 marked this pull request as draft March 25, 2026 09:52
@sampras343
add cli-stack for binary distribution
534e6f3 
Signed-off-by: Sachin Sampras M <sampras343@gmail.com>
qodo-code-review[bot]
qodo-code-review bot reviewed Mar 25, 2026
View reviewed changes
@sampras343 sampras343 marked this pull request as ready for review March 25, 2026 09:57
@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Mar 25, 2026 

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Review Summary by Qodo

Add CLI stack for multi-platform binary distribution

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Add multi-architecture CLI binary aggregation image
• Create Tekton pipeline configurations for pull requests and push events
• Bundle CLI binaries for Linux, Darwin, and Windows platforms
• Enable binary distribution via container registry
Diagram 
flowchart LR
  A["Multi-arch CLI builds<br/>amd64, arm64, ppc64le, s390x"] -->|"Aggregate binaries"| B["Dockerfile.cli-stack.rh<br/>Packager stage"]
  B -->|"Extract & compress"| C["Binary archives<br/>Linux, Darwin, Windows"]
  C -->|"Final minimal image"| D["quay.io/securesign/<br/>conforma-cli-stack"]
  E["Pull Request trigger"] -->|"Build on PR"| F["conforma-cli-stack-pull-request.yaml"]
  G["Push to release-v0.8"] -->|"Build on push"| H["conforma-cli-stack-push.yaml"]
  F -->|"Uses pipeline"| D
  H -->|"Uses pipeline"| D
Loading

Grey Divider

File Changes

1. Dockerfile.cli-stack.rh ✨ Enhancement +66/-0

Multi-platform CLI binary aggregation Dockerfile

• Multi-stage Dockerfile aggregating CLI binaries from four Linux architectures
• Extracts and repackages native binaries for amd64, arm64, ppc64le, s390x
• Includes cross-compiled Darwin and Windows binaries from amd64 build
• Final minimal UBI9 image containing all binaries in /binaries/ directory

Dockerfile.cli-stack.rh

2. .tekton/conforma-cli-stack-pull-request.yaml ⚙️ Configuration changes +54/-0

Tekton pipeline for CLI stack pull request builds

• New Tekton PipelineRun for pull request builds on release-v0.8 branch
• Configures build parameters including release version 1.4.0 and Dockerfile reference
• Outputs image to quay.io/securesign/conforma-cli-stack:on-pr-{{revision}}
• Enables hermetic builds and source image generation with git authentication

.tekton/conforma-cli-stack-pull-request.yaml

3. .tekton/conforma-cli-stack-push.yaml ⚙️ Configuration changes +51/-0

Tekton pipeline for CLI stack push event builds

• New Tekton PipelineRun for push events on release-v0.8 branch
• Mirrors pull request configuration with push-specific output image tag
• Outputs image to quay.io/securesign/conforma-cli-stack:{{revision}}
• Maintains hermetic builds and source image generation settings

.tekton/conforma-cli-stack-push.yaml

View more (1)
4. .tekton/cli-v08-push.yaml ⚙️ Configuration changes +1/-0

Add CLI stack Dockerfile build trigger annotation

• Adds build nudge annotation referencing Dockerfile.cli-stack.rh
• Enables automatic pipeline triggering when CLI stack Dockerfile changes

.tekton/cli-v08-push.yaml

Grey Divider

Qodo Logo

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Mar 25, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (7) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

Grey Divider


Action required

1. Unbuildable digest placeholders 🐞 Bug ✓ Correctness
Description 
Dockerfile.cli-stack.rh uses invalid image digests (sha256:REPLACE_*) in its FROM ...@sha256:
references, so builds of the cli-stack image will fail immediately when this Dockerfile is used by
the new PipelineRuns.
Code

Dockerfile.cli-stack.rh[R3-6]

+FROM --platform=linux/amd64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_AMD64 AS build-amd64
+FROM --platform=linux/arm64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_ARM64 AS build-arm64
+FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_PPC64LE AS build-ppc64le
+FROM --platform=linux/s390x   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_S390X AS build-s390x
Evidence 
The Dockerfile’s base-image references are not valid sha256 digests (must be 64 hex chars), and both
new PipelineRuns explicitly build with this Dockerfile, so the pipeline will attempt to build an
unbuildable Dockerfile.

Dockerfile.cli-stack.rh[1-6]
.tekton/conforma-cli-stack-push.yaml[19-35]
.tekton/conforma-cli-stack-pull-request.yaml[20-38]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`Dockerfile.cli-stack.rh` cannot be built because its `FROM ...@sha256:` values are placeholders (`REPLACE_*`). The new cli-stack Tekton PipelineRuns reference this Dockerfile, so they will fail at build time.
### Issue Context
The file comment mentions Konflux nudging, but until nudging populates real digests, any run that tries to build this Dockerfile will fail.
### Fix Focus Areas
- Dockerfile.cli-stack.rh[1-6]
- .tekton/conforma-cli-stack-push.yaml[19-35]
- .tekton/conforma-cli-stack-pull-request.yaml[20-38]
### What to change
- Replace `sha256:REPLACE_*` with real per-arch digests (initial seed), OR switch to a buildable reference (e.g., a tag) until nudging is in place.
- Ensure the cli-stack pipelines do not run (or are gated) until the digests are populated.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Unknown release-version param 🐞 Bug ✓ Correctness
Description 
The new cli-stack PipelineRuns set a release-version parameter, but this repository’s existing
docker-build-oci-ta pipeline spec (used for cli-v08) does not define that parameter, which can
cause Tekton to reject the PipelineRun due to an undeclared param.
Code

.tekton/conforma-cli-stack-push.yaml[R20-22]

+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile
Evidence 
In the repo’s inlined docker-build-oci-ta pipeline spec, the declared params list does not include
release-version. The new PipelineRuns add release-version, creating a mismatch against the known
pipeline interface in this repo.

.tekton/conforma-cli-stack-push.yaml[19-23]
.tekton/conforma-cli-stack-pull-request.yaml[20-24]
.tekton/cli-v08-push.yaml[50-116]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The new PipelineRuns pass `release-version`, but the repo’s `docker-build-oci-ta` pipeline interface (as represented by the existing inlined spec) doesn’t declare it. Tekton commonly errors when a PipelineRun supplies params not declared by the Pipeline.
### Issue Context
Existing `cli-v08` PipelineRuns use an inlined `docker-build-oci-ta` spec whose params are visible in-repo and do not include `release-version`.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[19-23]
- .tekton/conforma-cli-stack-pull-request.yaml[20-24]
- .tekton/cli-v08-push.yaml[50-116]
### What to change
- Remove the `release-version` param from both cli-stack PipelineRuns if it is unused.
- Alternatively, ensure the referenced pipeline actually declares `release-version` (and pin to that revision), and keep the param only if the pipeline consumes it.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

3. Wrong build nudge file 🐞 Bug ⛯ Reliability ⭐ New
Description 
cli-v08-on-push now declares build-nudge-files: Dockerfile.cli-stack.rh, but that PipelineRun’s
dockerfile param is Dockerfile.dist, so edits to the cli-stack Dockerfile will unnecessarily
trigger the cli-v08 build (and not the intended cli-stack build).
Code

.tekton/cli-v08-push.yaml[R4-6]

  annotations:
+    build.appstudio.openshift.io/build-nudge-files: "Dockerfile.cli-stack.rh"
    build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
Evidence 
In cli-v08-push.yaml, the new build-nudge-files points at Dockerfile.cli-stack.rh, while the
same PipelineRun’s dockerfile param is Dockerfile.dist. Therefore the nudge file does not
correspond to the build inputs for that PipelineRun and will create cross-triggered rebuilds when
the stack Dockerfile changes.

.tekton/cli-v08-push.yaml[1-32]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`cli-v08-on-push` is configured to build using `Dockerfile.dist`, but the PR adds a `build-nudge-files` annotation pointing to `Dockerfile.cli-stack.rh`. This causes unrelated changes to the cli-stack Dockerfile to trigger cli-v08 rebuilds.

### Issue Context
`build.appstudio.openshift.io/build-nudge-files` should list files that are true build inputs for that PipelineRun.

### Fix Focus Areas
- .tekton/cli-v08-push.yaml[3-31]

Change `build-nudge-files` to `Dockerfile.dist` (or remove it if not needed) and, if desired, add an appropriate `build-nudge-files` annotation to the *conforma-cli-stack* PipelineRuns instead.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

4. Git-url template mismatch 🐞 Bug ⛯ Reliability
Description 
The new cli-stack PipelineRuns use {{repo_url}} for git-url, while the existing repo
PipelineRuns use {{source_url}}, risking failed template substitution and a broken clone step for
cli-stack builds.
Code

.tekton/conforma-cli-stack-push.yaml[R24-25]

+  - name: git-url
+    value: '{{repo_url}}'
Evidence 
Within this repo, git-url is populated using {{source_url}} in existing Pipelines-as-Code
PipelineRuns. The new files are the only ones using {{repo_url}}, so they may not receive a
substituted URL under the same PaC configuration.

.tekton/conforma-cli-stack-push.yaml[23-31]
.tekton/conforma-cli-stack-pull-request.yaml[23-35]
.tekton/cli-v08-push.yaml[20-26]
.tekton/cli-v08-pull-request.yaml[20-26]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
cli-stack PipelineRuns use a different PaC template variable for `git-url` than the existing, working pipelines in this repo.
### Issue Context
`cli-v08` PipelineRuns set `git-url` to `{{source_url}}`, while cli-stack uses `{{repo_url}}`.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[23-26]
- .tekton/conforma-cli-stack-pull-request.yaml[23-27]
- .tekton/cli-v08-push.yaml[20-23]
- .tekton/cli-v08-pull-request.yaml[20-23]
### What to change
- Switch cli-stack PipelineRuns to use `{{source_url}}` (or whichever variable is actually provided in your PaC setup) consistently across all PipelineRuns.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

5. Unpinned pipelineRef revision 🐞 Bug ⛨ Security
Description 
The new cli-stack PipelineRuns resolve their build pipeline from securesign/pipelines.git at
revision: main, making the CI behavior non-reproducible and vulnerable to upstream changes
breaking builds or changing the build process unexpectedly.
Code

.tekton/conforma-cli-stack-push.yaml[R36-44]

+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git
Evidence 
Both new PipelineRuns reference a moving git branch (main) for the pipeline definition. In
contrast, the existing in-repo pipeline spec pins task bundles by digest, which is reproducible.

.tekton/conforma-cli-stack-push.yaml[36-44]
.tekton/conforma-cli-stack-pull-request.yaml[39-47]
.tekton/cli-v08-push.yaml[131-165]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Using `revision: main` for a git-resolved pipeline makes builds non-deterministic.
### Issue Context
The cli-stack PipelineRuns resolve the pipeline from git; the existing pipeline in this repo pins referenced bundles by digest.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[36-44]
- .tekton/conforma-cli-stack-pull-request.yaml[39-47]
### What to change
- Pin `pipelineRef.params.revision` to an immutable git commit SHA (or a signed/tagged immutable ref), and update it intentionally when you want pipeline changes.
- Optionally prefer a Tekton bundle reference pinned by digest if that’s the repo standard.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

View more (1)
6. Missing SA/namespace definitions 🐞 Bug ⛯ Reliability
Description 
The new PipelineRuns target namespace: rhtas-tenant and `serviceAccountName:
build-pipeline-conforma-cli-stack`, but this repo contains no other references/manifests for that
namespace/service account, so these PipelineRuns are likely to fail in environments where those
resources are not pre-provisioned.
Code

.tekton/conforma-cli-stack-push.yaml[46]

+    serviceAccountName: build-pipeline-conforma-cli-stack
Evidence 
Existing PipelineRuns in this repo are configured for rhtap-contract-tenant and a different
service account (build-pipeline-cli-v08). The cli-stack files introduce a new namespace/SA pair
not used elsewhere in the repository.

.tekton/conforma-cli-stack-push.yaml[16-18]
.tekton/conforma-cli-stack-push.yaml[45-47]
.tekton/conforma-cli-stack-pull-request.yaml[17-19]
.tekton/conforma-cli-stack-pull-request.yaml[48-50]
.tekton/cli-v08-push.yaml[17-19]
.tekton/cli-v08-push.yaml[534-536]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The new PipelineRuns assume a namespace and service account that are not referenced anywhere else in this repo.
### Issue Context
Other PipelineRuns use `rhtap-contract-tenant` and `build-pipeline-cli-v08`.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[16-18]
- .tekton/conforma-cli-stack-push.yaml[45-47]
- .tekton/conforma-cli-stack-pull-request.yaml[17-19]
- .tekton/conforma-cli-stack-pull-request.yaml[48-50]
### What to change
- Either update cli-stack PipelineRuns to use the existing namespace/SA conventions used by the repo, OR
- Add (or reference) the manifests/docs that provision `rhtas-tenant` and `build-pipeline-conforma-cli-stack` so this configuration is deployable and testable.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Advisory comments

7. Missing cancel-in-progress 🐞 Bug ⛯ Reliability ⭐ New
Description 
The conforma-cli-stack pull-request PipelineRun omits
pipelinesascode.tekton.dev/cancel-in-progress, so repeated PR updates can queue multiple
concurrent builds instead of canceling obsolete runs (unlike the existing cli-v08 PR pipeline).
Code

.tekton/conforma-cli-stack-pull-request.yaml[R8-12]

+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
+      == "release-v0.8"
+  creationTimestamp: null
Evidence 
cli-v08-on-pull-request explicitly sets pipelinesascode.tekton.dev/cancel-in-progress: "true",
but the new stack PR PipelineRun has only max-keep-runs and the CEL expression. This is a
behavioral difference that can increase cluster load and delay feedback on active PRs.

.tekton/conforma-cli-stack-pull-request.yaml[4-12]
.tekton/cli-v08-pull-request.yaml[4-12]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The PR PipelineRun for `conforma-cli-stack` doesn’t specify whether in-progress runs should be canceled when new commits are pushed to the PR. This can lead to redundant builds.

### Issue Context
The existing `cli-v08-on-pull-request` PipelineRun uses `pipelinesascode.tekton.dev/cancel-in-progress: "true"`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-pull-request.yaml[4-12]

Add `pipelinesascode.tekton.dev/cancel-in-progress: "true"` (or explicitly set a desired value) to make the behavior intentional and consistent.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@sampras343
Copy link
Author

sampras343 commented Mar 25, 2026

@simonbaird

simonbaird
simonbaird reviewed Mar 25, 2026
View reviewed changes
Dockerfile.cli-stack.rh
@@ -0,0 +1,66 @@
FROM --platform=linux/amd64 quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:7d2ecffad4cee873caee676eda74c5acd6254e64bbca8280b1d69f0806426999 AS build-amd64
Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it needs a license preamble to avoid a lint error.

Copy link
Author

@sampras343 sampras343 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed

simonbaird
simonbaird reviewed Mar 25, 2026
View reviewed changes
.tekton/conforma-cli-stack-pull-request.yaml
Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was expecting to see a verion number in the filename.

We are a little bit "multi-stream", i.e. we maintain and build more than one parallel release branch build. Right now we have v0.6, v0.7 and v0.8. (v0.6 would be retired soon after RHTAS 1.4 is shipped.).

So I think it's likely we should version the component name, so we can have say "conforma-cli-stack-v08" and later in the year we can introduce "conforma-cli-stack-v09". Wdyt?

Copy link
Author

@sampras343 sampras343 Mar 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar multi stream approach here as well.
The current component created is under main$ by default, so the naming is conforma-cli-stack.
I will address this issue when I create the stack under 1.4 release of rhtas.
So the application would be like cli-stacks-v1-4 and the component under that could be conforma-cli-stack-v08.

Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm okay.

simonbaird
simonbaird reviewed Mar 25, 2026
View reviewed changes
Dockerfile.cli-stack.rh Outdated
FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:2e385572d9cc508288e5a4cc7a44c22de4266be860e725a7795d4402db1314c0 AS build-ppc64le
FROM --platform=linux/s390x quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:e725abfa91aa21d28d2ae5b5c5fa5544bcd3998b48c18d268d981c1ad51d3f1f AS build-s390x

FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:799cc027d5ad58cdc156b65286eb6389993ec14c496cf748c09834b7251e78dc AS packager
Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker, but I'm wondering why do you need the go-toolset? Seems like gzip and tar would be all that is needed, so why not use a lighter weight image to do the packaging?

Copy link
Author

@sampras343 sampras343 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In one of my earlier tryouts, I tried using ubi-minimal but gzip was not found in that and I had to install on top of it which I felt was counter intuitive to already signed off packages within the image.
Plus, the final base image in the multi stage build is something minimal

@sampras343 sampras343 requested a review from simonbaird March 25, 2026 14:06
@sampras343
updated dockerfile base images and license
65bbabe 
Signed-off-by: Sachin Sampras M <sampras343@gmail.com>
st3penta
st3penta approved these changes Mar 25, 2026
View reviewed changes
Copy link
Contributor

@st3penta st3penta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qodo-code-review qodo-code-review[bot] qodo-code-review[bot] left review comments

@st3penta st3penta st3penta approved these changes

@simonbaird simonbaird Awaiting requested review from simonbaird

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size: L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sampras343 @simonbaird @st3penta