Update POLICY_BUNDLE_DIGEST in tekton-task bundle and catalog

[joejstuart]

Jira: EC-1846

Summary

• After acceptance tests and policy tagging, the tekton-catalog-release job now updates the POLICY_BUNDLE_DIGEST default in task definitions to the current release-policy:konflux digest
• Rebuilds the tekton-task bundle with updated tasks and pushes as :konflux, keeping the bundle and tekton-catalog in sync
• Adds hack/extract-all-bundle-tasks.sh to extract all tasks from a bundle (not just acceptance-tested ones), so collect-keyless-params is included

Changes

tag job: Filters tekton-task entries from "Tag tested images by digest" since the bundle is now rebuilt by tekton-catalog-release.

tekton-catalog-release job:

• Depends on both acceptance-tests and tag (tolerates tag being skipped)
• Logs in to quay.io via crane auth login (compatible with tkn bundle push)
• Extracts all tasks from the tested bundle using the new extract-all-bundle-tasks.sh
• Computes the release-policy:konflux digest via crane digest and updates POLICY_BUNDLE_DIGEST in task definitions
• Pushes rebuilt bundle as quay.io/conforma/tekton-task:konflux via tkn bundle push
• Pushes updated tasks to conforma/tekton-catalog konflux branch (existing behavior)

Test plan

• Run workflow via workflow_dispatch with run_tag: true and run_tekton_catalog: true
• Verify quay.io/conforma/tekton-task:konflux contains all 3 tasks (verify-enterprise-contract, verify-conforma-konflux-ta, collect-keyless-params)
• Verify POLICY_BUNDLE_DIGEST default in the bundle tasks matches crane digest quay.io/conforma/release-policy:konflux
• Verify conforma/tekton-catalog konflux branch has the same updated digest
• Verify run_tag: false + run_tekton_catalog: true still works (uses existing :konflux digest)

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@joejstuart has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 25 minutes and 19 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: da3a2ebb-1930-4439-a8ac-214345689c81

📥 Commits

Reviewing files that changed from the base of the PR and between 418fdc0 and 1e4c13a.

📒 Files selected for processing (6)

• .github/workflows/konflux-policy.yaml
• .shellspec
• hack/update-policy-digest.sh
• spec/extract_all_bundle_tasks_spec.sh
• spec/spec_helper.sh
• spec/update_policy_digest_spec.sh

📝 Walkthrough

Walkthrough

This PR splits tekton bundle publishing into a dedicated tekton-task-bundle job, adds a workflow dispatch to control it, excludes tekton-task from normal tagging, adds a script to extract task YAMLs from OCI bundles, substitutes updated POLICY_BUNDLE_DIGEST values in task YAMLs, pushes an updated tekton-task:konflux bundle, and changes catalog extraction to use the newly published bundle.

Changes

Tekton task bundle extraction and release refactoring

Layer / File(s)	Summary
Workflow input & tag gating .github/workflows/konflux-policy.yaml	Adds workflow_dispatch boolean run_tekton_task_bundle and updates the tag job to skip tekton-task entries; introduces tekton-task-bundle job header and gating.
tekton-task-bundle job implementation .github/workflows/konflux-policy.yaml	Installs tkn, logs into quay.io/conforma, derives tekton-task bundle digest(s) from BUNDLE_DIGESTS, extracts task YAMLs, computes the release-policy:konflux digest, updates POLICY_BUNDLE_DIGEST defaults in extracted task YAMLs, and pushes quay.io/conforma/tekton-task:konflux via tkn bundle push.
Tekton catalog job gating & extraction .github/workflows/konflux-policy.yaml	Changes tekton-catalog job to depend on acceptance-tests and tekton-task-bundle, gated by workflow inputs and success state, and extracts tasks from the newly published tekton-task:konflux bundle; adjusts local staging cp/git add block.
Task extraction helper script hack/extract-all-bundle-tasks.sh	New bash utility that resolves an OCI bundle with crane, filters task layers with jq, downloads and gunzips layer blobs, extracts task YAMLs, validates app.kubernetes.io/version via yq, and writes task files under tasks/<name>/<version>/.

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective: updating POLICY_BUNDLE_DIGEST in the tekton-task bundle and catalog, which is the primary change across both modified files.
Description check	✅ Passed	The description is well-organized and directly related to the changeset, providing clear context about updating POLICY_BUNDLE_DIGEST, rebuilding the tekton-task bundle, adding the extraction script, and the test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/konflux-policy.yaml (1)

230-231: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

This overlay copy leaves removed tasks and versions behind.

cp -r only adds or overwrites. If a task or version disappears from the tested bundle, the old directory remains in tekton-catalog, so the branch can drift from the bundle this job just pushed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/konflux-policy.yaml around lines 230 - 231, The overlay
copy using the shell command "cp -r /tmp/catalog-tasks/tasks/* tasks/" leaves
deleted tasks/versions behind; replace it with a synchronization that removes
stale destinations (for example use "rsync -a --delete /tmp/catalog-tasks/tasks/
tasks/" or alternatively remove the destination directory before copying) so the
destination "tasks/" exactly mirrors the extracted bundle; update the CI step
that runs the "cp -r /tmp/catalog-tasks/tasks/* tasks/" command to use the rsync
--delete form (or a remove-then-copy sequence) to prevent drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/konflux-policy.yaml:
- Around line 176-179: The script currently treats "no task files found" as
success; change the behavior so absence of any files matching
POLICY_BUNDLE_DIGEST is treated as a failure: after computing TASK_FILES (via
grep -rl 'POLICY_BUNDLE_DIGEST' ...), if TASK_FILES is empty then emit an
explicit error message and exit with non-zero status (e.g., exit 1) so the
workflow fails; ensure you reference the TASK_FILES variable and the
POLICY_BUNDLE_DIGEST match check in the updated conditional to make the failure
explicit.
- Around line 142-145: Replace the mutable action tag and dynamic CLI version by
pinning both the GitHub Action reference and the Tekton CLI version: change
uses: tektoncd/actions/setup-tektoncd-cli@v1 to the exact commit SHA for
tektoncd/actions/setup-tektoncd-cli, and replace version: latest with an
explicit CLI release string (for example "v0.45.0"); ensure the commit SHA and
CLI version you choose correspond to the same tested release so the action and
the installed CLI are immutable and reproducible.

In `@hack/extract-all-bundle-tasks.sh`:
- Around line 36-37: The repo-parsing currently uses REPO="${BUNDLE%@*}" then
REPO="${REPO%:*}", which incorrectly strips host ports (e.g., registry:5000)
because it removes everything after the last colon; change the logic to only
strip an image tag from the path basename so ports remain. Replace the single
`${REPO%:*}` step with logic that splits REPO into dir="${REPO%/*}" and
base="${REPO##*/}", then strip a tag from base with base="${base%%:*}" and
rebuild REPO as either "$base" (if no dir) or "$dir/$base"; keep using the same
BUNDLE/REPO variable names so the later crane blob calls target the correct
repository with port preserved.

---

Outside diff comments:
In @.github/workflows/konflux-policy.yaml:
- Around line 230-231: The overlay copy using the shell command "cp -r
/tmp/catalog-tasks/tasks/* tasks/" leaves deleted tasks/versions behind; replace
it with a synchronization that removes stale destinations (for example use
"rsync -a --delete /tmp/catalog-tasks/tasks/ tasks/" or alternatively remove the
destination directory before copying) so the destination "tasks/" exactly
mirrors the extracted bundle; update the CI step that runs the "cp -r
/tmp/catalog-tasks/tasks/* tasks/" command to use the rsync --delete form (or a
remove-then-copy sequence) to prevent drift.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: d676bebc-8f15-49f4-b1de-b96871a3bcc9

📥 Commits

Reviewing files that changed from the base of the PR and between 0561c47 and 635f24e.

📒 Files selected for processing (2)

• .github/workflows/konflux-policy.yaml
• hack/extract-all-bundle-tasks.sh

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/konflux-policy.yaml (1)

132-149: ⚡ Quick win

Consider adding a workflow concurrency: group to serialize publishing.

Because tekton-task-bundle and tekton-catalog both push to mutable refs (quay.io/conforma/tekton-task:konflux and the konflux branch of conforma/tekton-catalog), two concurrent workflow_dispatch runs can race and clobber each other (e.g., one run’s bundle paired with another’s catalog commit). A workflow-level concurrency group cleanly prevents this.

♻️ Suggested top-level addition

 permissions:
   contents: read

+concurrency:
+  group: konflux-policy
+  cancel-in-progress: false
+
 jobs:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/konflux-policy.yaml around lines 132 - 149, Add a
top-level workflow concurrency group to serialize publishing so the
tekton-task-bundle and tekton-catalog jobs cannot run concurrently and race when
pushing mutable refs (the quay.io/conforma/tekton-task:konflux image tag and the
konflux branch of conforma/tekton-catalog). Modify the workflow YAML to add a
top-level concurrency block that uses a stable group key (for example a fixed
"konflux-publish" or one derived from the repository/branch like
"konflux-publish-${{ github.ref }}") so only one workflow run that may push
these refs can proceed at a time; this ensures the tekton-task-bundle and
tekton-catalog jobs are effectively serialized without changing their job
definitions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/konflux-policy.yaml:
- Around line 132-149: Add a top-level workflow concurrency group to serialize
publishing so the tekton-task-bundle and tekton-catalog jobs cannot run
concurrently and race when pushing mutable refs (the
quay.io/conforma/tekton-task:konflux image tag and the konflux branch of
conforma/tekton-catalog). Modify the workflow YAML to add a top-level
concurrency block that uses a stable group key (for example a fixed
"konflux-publish" or one derived from the repository/branch like
"konflux-publish-${{ github.ref }}") so only one workflow run that may push
these refs can proceed at a time; this ensures the tekton-task-bundle and
tekton-catalog jobs are effectively serialized without changing their job
definitions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: fa500bf2-fea7-4197-a497-c51311b63ce0

📥 Commits

Reviewing files that changed from the base of the PR and between 635f24e and 418fdc0.

📒 Files selected for processing (1)

• .github/workflows/konflux-policy.yaml