Red Hat Konflux kflux-prd-rh02 update hyperfleet-sentinel

[red-hat-konflux-kflux-prd-rh02]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rh-amarin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Added pipeline automation configurations for continuous integration and container image validation processes.

Walkthrough

Two Tekton PipelineRun YAML manifests were added to define CI/CD pipelines for building and validating the hyperfleet-sentinel container image. The pull-request manifest (.tekton/hyperfleet-sentinel-pull-request.yaml) configures a pipeline triggered on pull requests with PR-scoped parameters and optional gated security scans. The push manifest (.tekton/hyperfleet-sentinel-push.yaml) defines a similar pipeline for push events to the main branch. Both manifests define multi-stage task graphs including repository initialization, dependency prefetching, container builds via buildah, optional source image creation, post-build security checks (deprecated base image, Clair, ecosystem cert, SAST, ClamAV, RPM signature scanning), image tagging, and Dockerfile artifact pushes. Results from upstream tasks (image URLs, digests, commit info) are wired into downstream tasks via parameter/result propagation. Workspaces for git authentication and netrc are declared as optional, with build-pipeline-hyperfleet-sentinel as the service account.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly relates to the main change: adding Tekton pipeline configurations for the hyperfleet-sentinel project to support both pull request and push workflows.
Description check	✅ Passed	The description is related to the changeset as it explains the Pipelines as Code configuration proposal that is being added, including instructions for running PipelineRuns and references to customization documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-hyperfleet-sentinel

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/hyperfleet-sentinel-pull-request.yaml:
- Around line 91-93: The parameter "enable-cache-proxy" is missing an explicit
type; add a line "type: string" under the parameter definition so it matches the
style used in push.yaml and other parameters (keep the existing default and
description and ensure indentation matches surrounding parameters); update the
block that currently contains name: enable-cache-proxy to include type: string.

In @.tekton/hyperfleet-sentinel-push.yaml:
- Around line 88-90: The parameter entry for enable-cache-proxy is missing an
explicit type; update the parameter block that contains name: enable-cache-proxy
and default: "false" to include type: string so it matches the other string
parameters and keeps parameter definitions consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 785296fb-042a-4b7a-8332-2d80f5c5ad07

📥 Commits

Reviewing files that changed from the base of the PR and between 36b9830 and 491b702.

📒 Files selected for processing (2)

• .tekton/hyperfleet-sentinel-pull-request.yaml
• .tekton/hyperfleet-sentinel-push.yaml

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Missing type: string for enable-cache-proxy parameter (same as push.yaml).

For consistency with the push pipeline and other parameters in this file, add the explicit type declaration.

♻️ Suggested fix

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	type: string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-sentinel-pull-request.yaml around lines 91 - 93, The
parameter "enable-cache-proxy" is missing an explicit type; add a line "type:
string" under the parameter definition so it matches the style used in push.yaml
and other parameters (keep the existing default and description and ensure
indentation matches surrounding parameters); update the block that currently
contains name: enable-cache-proxy to include type: string.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Missing type: string for enable-cache-proxy parameter.

This parameter is missing the explicit type declaration that all other string parameters have. While Tekton infers string as the default type, adding it maintains consistency with the rest of the parameter definitions.

♻️ Suggested fix

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	- default: "false"
	description: Enable cache proxy configuration
	name: enable-cache-proxy
	type: string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-sentinel-push.yaml around lines 88 - 90, The parameter
entry for enable-cache-proxy is missing an explicit type; update the parameter
block that contains name: enable-cache-proxy and default: "false" to include
type: string so it matches the other string parameters and keeps parameter
definitions consistent.

[ciaranRoche]

/ok-to-test

[ciaranRoche]

/retest

[openshift-ci]

@red-hat-konflux-kflux-prd-rh02[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/validate-commits	491b702	link	true	/test validate-commits

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.