add cli-stack for binary distribution

[sampras343]

Add cli-stack for binary aggregation into a single image and distribution to developers portal

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 26c636a6-5364-4678-be19-53d96eca2059

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Review Summary by Qodo

Add CLI stack for multi-architecture binary distribution

✨ Enhancement

Walkthroughs

Description

• Add multi-architecture CLI binary distribution image
• Create Tekton pipeline configurations for PR and push events
• Aggregate pre-built binaries from multiple architectures into single image
• Support Linux, Darwin, and Windows platforms across architectures

Diagram

flowchart LR
  A["Per-arch CLI builds<br/>amd64, arm64, ppc64le, s390x"] -->|"Extract binaries"| B["Packager stage<br/>decompress and repackage"]
  B -->|"Collect all binaries"| C["Minimal UBI9 image<br/>with all tar.gz archives"]
  D["Tekton PR Pipeline<br/>conforma-cli-stack-pull-request.yaml"] -->|"Builds on PR"| C
  E["Tekton Push Pipeline<br/>conforma-cli-stack-push.yaml"] -->|"Builds on push"| C
  C -->|"Distributes to"| F["quay.io registry<br/>for developer access"]

Loading

File Changes

1. Dockerfile.cli-stack.rh ✨ Enhancement +68/-0

Multi-arch CLI binary aggregation Dockerfile

• Multi-stage Dockerfile that aggregates pre-built CLI binaries from four architectures
• Extracts and repackages Linux binaries for amd64, arm64, ppc64le, and s390x
• Includes cross-compiled Darwin and Windows binaries from amd64 build
• Creates minimal UBI9-based final image containing all binaries as tar.gz archives

Dockerfile.cli-stack.rh

---

2. .tekton/conforma-cli-stack-pull-request.yaml ⚙️ Configuration changes +54/-0

Tekton pipeline for CLI stack PR builds

• New Tekton PipelineRun configuration for pull request events on release-v0.8 branch
• Configures docker-build-oci-ta pipeline with Dockerfile.cli-stack.rh
• Sets output image to quay.io/securesign/conforma-cli-stack:on-pr-{{revision}}
• Enables hermetic builds and source image generation with 5-day expiration

.tekton/conforma-cli-stack-pull-request.yaml

---

3. .tekton/conforma-cli-stack-push.yaml ⚙️ Configuration changes +51/-0

Tekton pipeline for CLI stack push builds

• New Tekton PipelineRun configuration for push events on release-v0.8 branch
• Configures docker-build-oci-ta pipeline with Dockerfile.cli-stack.rh
• Sets output image to quay.io/securesign/conforma-cli-stack:{{revision}}
• Enables hermetic builds and source image generation for release builds

.tekton/conforma-cli-stack-push.yaml

---

View more (1)

4. .tekton/cli-v08-push.yaml ⚙️ Configuration changes +1/-0

Add nudge annotation for CLI stack Dockerfile

• Adds build-nudge-files annotation referencing Dockerfile.cli-stack.rh
• Enables Konflux nudge mechanism to manage per-architecture digest updates

.tekton/cli-v08-push.yaml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (5) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

1. Unbuildable digest placeholders 🐞 Bug ✓ Correctness

Description

Dockerfile.cli-stack.rh uses invalid image digests (sha256:REPLACE_*) in its FROM ...@sha256:
references, so builds of the cli-stack image will fail immediately when this Dockerfile is used by
the new PipelineRuns.

Code

Dockerfile.cli-stack.rh[R3-6]

+FROM --platform=linux/amd64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_AMD64 AS build-amd64
+FROM --platform=linux/arm64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_ARM64 AS build-arm64
+FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_PPC64LE AS build-ppc64le
+FROM --platform=linux/s390x   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_S390X AS build-s390x

Evidence

The Dockerfile’s base-image references are not valid sha256 digests (must be 64 hex chars), and both
new PipelineRuns explicitly build with this Dockerfile, so the pipeline will attempt to build an
unbuildable Dockerfile.

Dockerfile.cli-stack.rh[1-6]
.tekton/conforma-cli-stack-push.yaml[19-35]
.tekton/conforma-cli-stack-pull-request.yaml[20-38]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`Dockerfile.cli-stack.rh` cannot be built because its `FROM ...@sha256:` values are placeholders (`REPLACE_*`). The new cli-stack Tekton PipelineRuns reference this Dockerfile, so they will fail at build time.

### Issue Context
The file comment mentions Konflux nudging, but until nudging populates real digests, any run that tries to build this Dockerfile will fail.

### Fix Focus Areas
- Dockerfile.cli-stack.rh[1-6]
- .tekton/conforma-cli-stack-push.yaml[19-35]
- .tekton/conforma-cli-stack-pull-request.yaml[20-38]

### What to change
- Replace `sha256:REPLACE_*` with real per-arch digests (initial seed), OR switch to a buildable reference (e.g., a tag) until nudging is in place.
- Ensure the cli-stack pipelines do not run (or are gated) until the digests are populated.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unknown release-version param 🐞 Bug ✓ Correctness

Description

The new cli-stack PipelineRuns set a release-version parameter, but this repository’s existing
docker-build-oci-ta pipeline spec (used for cli-v08) does not define that parameter, which can
cause Tekton to reject the PipelineRun due to an undeclared param.

Code

.tekton/conforma-cli-stack-push.yaml[R20-22]

+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile

Evidence

In the repo’s inlined docker-build-oci-ta pipeline spec, the declared params list does not include
release-version. The new PipelineRuns add release-version, creating a mismatch against the known
pipeline interface in this repo.

.tekton/conforma-cli-stack-push.yaml[19-23]
.tekton/conforma-cli-stack-pull-request.yaml[20-24]
.tekton/cli-v08-push.yaml[50-116]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The new PipelineRuns pass `release-version`, but the repo’s `docker-build-oci-ta` pipeline interface (as represented by the existing inlined spec) doesn’t declare it. Tekton commonly errors when a PipelineRun supplies params not declared by the Pipeline.

### Issue Context
Existing `cli-v08` PipelineRuns use an inlined `docker-build-oci-ta` spec whose params are visible in-repo and do not include `release-version`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[19-23]
- .tekton/conforma-cli-stack-pull-request.yaml[20-24]
- .tekton/cli-v08-push.yaml[50-116]

### What to change
- Remove the `release-version` param from both cli-stack PipelineRuns if it is unused.
- Alternatively, ensure the referenced pipeline actually declares `release-version` (and pin to that revision), and keep the param only if the pipeline consumes it.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Git-url template mismatch 🐞 Bug ⛯ Reliability

Description

The new cli-stack PipelineRuns use {{repo_url}} for git-url, while the existing repo
PipelineRuns use {{source_url}}, risking failed template substitution and a broken clone step for
cli-stack builds.

Code

.tekton/conforma-cli-stack-push.yaml[R24-25]

+  - name: git-url
+    value: '{{repo_url}}'

Evidence

Within this repo, git-url is populated using {{source_url}} in existing Pipelines-as-Code
PipelineRuns. The new files are the only ones using {{repo_url}}, so they may not receive a
substituted URL under the same PaC configuration.

.tekton/conforma-cli-stack-push.yaml[23-31]
.tekton/conforma-cli-stack-pull-request.yaml[23-35]
.tekton/cli-v08-push.yaml[20-26]
.tekton/cli-v08-pull-request.yaml[20-26]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
cli-stack PipelineRuns use a different PaC template variable for `git-url` than the existing, working pipelines in this repo.

### Issue Context
`cli-v08` PipelineRuns set `git-url` to `{{source_url}}`, while cli-stack uses `{{repo_url}}`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[23-26]
- .tekton/conforma-cli-stack-pull-request.yaml[23-27]
- .tekton/cli-v08-push.yaml[20-23]
- .tekton/cli-v08-pull-request.yaml[20-23]

### What to change
- Switch cli-stack PipelineRuns to use `{{source_url}}` (or whichever variable is actually provided in your PaC setup) consistently across all PipelineRuns.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Unpinned pipelineRef revision 🐞 Bug ⛨ Security

Description

The new cli-stack PipelineRuns resolve their build pipeline from securesign/pipelines.git at
revision: main, making the CI behavior non-reproducible and vulnerable to upstream changes
breaking builds or changing the build process unexpectedly.

Code

.tekton/conforma-cli-stack-push.yaml[R36-44]

+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git

Evidence

Both new PipelineRuns reference a moving git branch (main) for the pipeline definition. In
contrast, the existing in-repo pipeline spec pins task bundles by digest, which is reproducible.

.tekton/conforma-cli-stack-push.yaml[36-44]
.tekton/conforma-cli-stack-pull-request.yaml[39-47]
.tekton/cli-v08-push.yaml[131-165]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Using `revision: main` for a git-resolved pipeline makes builds non-deterministic.

### Issue Context
The cli-stack PipelineRuns resolve the pipeline from git; the existing pipeline in this repo pins referenced bundles by digest.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[36-44]
- .tekton/conforma-cli-stack-pull-request.yaml[39-47]

### What to change
- Pin `pipelineRef.params.revision` to an immutable git commit SHA (or a signed/tagged immutable ref), and update it intentionally when you want pipeline changes.
- Optionally prefer a Tekton bundle reference pinned by digest if that’s the repo standard.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

5. Missing SA/namespace definitions 🐞 Bug ⛯ Reliability

Description

The new PipelineRuns target namespace: rhtas-tenant and `serviceAccountName:
build-pipeline-conforma-cli-stack`, but this repo contains no other references/manifests for that
namespace/service account, so these PipelineRuns are likely to fail in environments where those
resources are not pre-provisioned.

Code

.tekton/conforma-cli-stack-push.yaml[46]

+    serviceAccountName: build-pipeline-conforma-cli-stack

Evidence

Existing PipelineRuns in this repo are configured for rhtap-contract-tenant and a different
service account (build-pipeline-cli-v08). The cli-stack files introduce a new namespace/SA pair
not used elsewhere in the repository.

.tekton/conforma-cli-stack-push.yaml[16-18]
.tekton/conforma-cli-stack-push.yaml[45-47]
.tekton/conforma-cli-stack-pull-request.yaml[17-19]
.tekton/conforma-cli-stack-pull-request.yaml[48-50]
.tekton/cli-v08-push.yaml[17-19]
.tekton/cli-v08-push.yaml[534-536]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The new PipelineRuns assume a namespace and service account that are not referenced anywhere else in this repo.

### Issue Context
Other PipelineRuns use `rhtap-contract-tenant` and `build-pipeline-cli-v08`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[16-18]
- .tekton/conforma-cli-stack-push.yaml[45-47]
- .tekton/conforma-cli-stack-pull-request.yaml[17-19]
- .tekton/conforma-cli-stack-pull-request.yaml[48-50]

### What to change
- Either update cli-stack PipelineRuns to use the existing namespace/SA conventions used by the repo, OR
- Add (or reference) the manifests/docs that provision `rhtas-tenant` and `build-pipeline-conforma-cli-stack` so this configuration is deployable and testable.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Review Summary by Qodo

Add CLI stack for multi-platform binary distribution

✨ Enhancement

Walkthroughs

Description

• Add multi-architecture CLI binary aggregation image
• Create Tekton pipeline configurations for pull requests and push events
• Bundle CLI binaries for Linux, Darwin, and Windows platforms
• Enable binary distribution via container registry

Diagram

flowchart LR
  A["Multi-arch CLI builds<br/>amd64, arm64, ppc64le, s390x"] -->|"Aggregate binaries"| B["Dockerfile.cli-stack.rh<br/>Packager stage"]
  B -->|"Extract & compress"| C["Binary archives<br/>Linux, Darwin, Windows"]
  C -->|"Final minimal image"| D["quay.io/securesign/<br/>conforma-cli-stack"]
  E["Pull Request trigger"] -->|"Build on PR"| F["conforma-cli-stack-pull-request.yaml"]
  G["Push to release-v0.8"] -->|"Build on push"| H["conforma-cli-stack-push.yaml"]
  F -->|"Uses pipeline"| D
  H -->|"Uses pipeline"| D

Loading

File Changes

1. Dockerfile.cli-stack.rh ✨ Enhancement +66/-0

Multi-platform CLI binary aggregation Dockerfile

• Multi-stage Dockerfile aggregating CLI binaries from four Linux architectures
• Extracts and repackages native binaries for amd64, arm64, ppc64le, s390x
• Includes cross-compiled Darwin and Windows binaries from amd64 build
• Final minimal UBI9 image containing all binaries in /binaries/ directory

Dockerfile.cli-stack.rh

---

2. .tekton/conforma-cli-stack-pull-request.yaml ⚙️ Configuration changes +54/-0

Tekton pipeline for CLI stack pull request builds

• New Tekton PipelineRun for pull request builds on release-v0.8 branch
• Configures build parameters including release version 1.4.0 and Dockerfile reference
• Outputs image to quay.io/securesign/conforma-cli-stack:on-pr-{{revision}}
• Enables hermetic builds and source image generation with git authentication

.tekton/conforma-cli-stack-pull-request.yaml

---

3. .tekton/conforma-cli-stack-push.yaml ⚙️ Configuration changes +51/-0

Tekton pipeline for CLI stack push event builds

• New Tekton PipelineRun for push events on release-v0.8 branch
• Mirrors pull request configuration with push-specific output image tag
• Outputs image to quay.io/securesign/conforma-cli-stack:{{revision}}
• Maintains hermetic builds and source image generation settings

.tekton/conforma-cli-stack-push.yaml

---

View more (1)

4. .tekton/cli-v08-push.yaml ⚙️ Configuration changes +1/-0

Add CLI stack Dockerfile build trigger annotation

• Adds build nudge annotation referencing Dockerfile.cli-stack.rh
• Enables automatic pipeline triggering when CLI stack Dockerfile changes

.tekton/cli-v08-push.yaml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (7) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

1. Unbuildable digest placeholders 🐞 Bug ✓ Correctness

Description

Dockerfile.cli-stack.rh uses invalid image digests (sha256:REPLACE_*) in its FROM ...@sha256:
references, so builds of the cli-stack image will fail immediately when this Dockerfile is used by
the new PipelineRuns.

Code

Dockerfile.cli-stack.rh[R3-6]

+FROM --platform=linux/amd64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_AMD64 AS build-amd64
+FROM --platform=linux/arm64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_ARM64 AS build-arm64
+FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_PPC64LE AS build-ppc64le
+FROM --platform=linux/s390x   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_S390X AS build-s390x

Evidence

The Dockerfile’s base-image references are not valid sha256 digests (must be 64 hex chars), and both
new PipelineRuns explicitly build with this Dockerfile, so the pipeline will attempt to build an
unbuildable Dockerfile.

Dockerfile.cli-stack.rh[1-6]
.tekton/conforma-cli-stack-push.yaml[19-35]
.tekton/conforma-cli-stack-pull-request.yaml[20-38]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`Dockerfile.cli-stack.rh` cannot be built because its `FROM ...@sha256:` values are placeholders (`REPLACE_*`). The new cli-stack Tekton PipelineRuns reference this Dockerfile, so they will fail at build time.
### Issue Context
The file comment mentions Konflux nudging, but until nudging populates real digests, any run that tries to build this Dockerfile will fail.
### Fix Focus Areas
- Dockerfile.cli-stack.rh[1-6]
- .tekton/conforma-cli-stack-push.yaml[19-35]
- .tekton/conforma-cli-stack-pull-request.yaml[20-38]
### What to change
- Replace `sha256:REPLACE_*` with real per-arch digests (initial seed), OR switch to a buildable reference (e.g., a tag) until nudging is in place.
- Ensure the cli-stack pipelines do not run (or are gated) until the digests are populated.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unknown release-version param 🐞 Bug ✓ Correctness

Description

The new cli-stack PipelineRuns set a release-version parameter, but this repository’s existing
docker-build-oci-ta pipeline spec (used for cli-v08) does not define that parameter, which can
cause Tekton to reject the PipelineRun due to an undeclared param.

Code

.tekton/conforma-cli-stack-push.yaml[R20-22]

+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile

Evidence

In the repo’s inlined docker-build-oci-ta pipeline spec, the declared params list does not include
release-version. The new PipelineRuns add release-version, creating a mismatch against the known
pipeline interface in this repo.

.tekton/conforma-cli-stack-push.yaml[19-23]
.tekton/conforma-cli-stack-pull-request.yaml[20-24]
.tekton/cli-v08-push.yaml[50-116]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The new PipelineRuns pass `release-version`, but the repo’s `docker-build-oci-ta` pipeline interface (as represented by the existing inlined spec) doesn’t declare it. Tekton commonly errors when a PipelineRun supplies params not declared by the Pipeline.
### Issue Context
Existing `cli-v08` PipelineRuns use an inlined `docker-build-oci-ta` spec whose params are visible in-repo and do not include `release-version`.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[19-23]
- .tekton/conforma-cli-stack-pull-request.yaml[20-24]
- .tekton/cli-v08-push.yaml[50-116]
### What to change
- Remove the `release-version` param from both cli-stack PipelineRuns if it is unused.
- Alternatively, ensure the referenced pipeline actually declares `release-version` (and pin to that revision), and keep the param only if the pipeline consumes it.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Wrong build nudge file 🐞 Bug ⛯ Reliability ⭐ New

Description

cli-v08-on-push now declares build-nudge-files: Dockerfile.cli-stack.rh, but that PipelineRun’s
dockerfile param is Dockerfile.dist, so edits to the cli-stack Dockerfile will unnecessarily
trigger the cli-v08 build (and not the intended cli-stack build).

Code

.tekton/cli-v08-push.yaml[R4-6]

  annotations:
+    build.appstudio.openshift.io/build-nudge-files: "Dockerfile.cli-stack.rh"
    build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}

Evidence

In cli-v08-push.yaml, the new build-nudge-files points at Dockerfile.cli-stack.rh, while the
same PipelineRun’s dockerfile param is Dockerfile.dist. Therefore the nudge file does not
correspond to the build inputs for that PipelineRun and will create cross-triggered rebuilds when
the stack Dockerfile changes.

.tekton/cli-v08-push.yaml[1-32]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`cli-v08-on-push` is configured to build using `Dockerfile.dist`, but the PR adds a `build-nudge-files` annotation pointing to `Dockerfile.cli-stack.rh`. This causes unrelated changes to the cli-stack Dockerfile to trigger cli-v08 rebuilds.

### Issue Context
`build.appstudio.openshift.io/build-nudge-files` should list files that are true build inputs for that PipelineRun.

### Fix Focus Areas
- .tekton/cli-v08-push.yaml[3-31]

Change `build-nudge-files` to `Dockerfile.dist` (or remove it if not needed) and, if desired, add an appropriate `build-nudge-files` annotation to the *conforma-cli-stack* PipelineRuns instead.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Git-url template mismatch 🐞 Bug ⛯ Reliability

Description

The new cli-stack PipelineRuns use {{repo_url}} for git-url, while the existing repo
PipelineRuns use {{source_url}}, risking failed template substitution and a broken clone step for
cli-stack builds.

Code

.tekton/conforma-cli-stack-push.yaml[R24-25]

+  - name: git-url
+    value: '{{repo_url}}'

Evidence

Within this repo, git-url is populated using {{source_url}} in existing Pipelines-as-Code
PipelineRuns. The new files are the only ones using {{repo_url}}, so they may not receive a
substituted URL under the same PaC configuration.

.tekton/conforma-cli-stack-push.yaml[23-31]
.tekton/conforma-cli-stack-pull-request.yaml[23-35]
.tekton/cli-v08-push.yaml[20-26]
.tekton/cli-v08-pull-request.yaml[20-26]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
cli-stack PipelineRuns use a different PaC template variable for `git-url` than the existing, working pipelines in this repo.
### Issue Context
`cli-v08` PipelineRuns set `git-url` to `{{source_url}}`, while cli-stack uses `{{repo_url}}`.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[23-26]
- .tekton/conforma-cli-stack-pull-request.yaml[23-27]
- .tekton/cli-v08-push.yaml[20-23]
- .tekton/cli-v08-pull-request.yaml[20-23]
### What to change
- Switch cli-stack PipelineRuns to use `{{source_url}}` (or whichever variable is actually provided in your PaC setup) consistently across all PipelineRuns.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

5. Unpinned pipelineRef revision 🐞 Bug ⛨ Security

Description

The new cli-stack PipelineRuns resolve their build pipeline from securesign/pipelines.git at
revision: main, making the CI behavior non-reproducible and vulnerable to upstream changes
breaking builds or changing the build process unexpectedly.

Code

.tekton/conforma-cli-stack-push.yaml[R36-44]

+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git

Evidence

Both new PipelineRuns reference a moving git branch (main) for the pipeline definition. In
contrast, the existing in-repo pipeline spec pins task bundles by digest, which is reproducible.

.tekton/conforma-cli-stack-push.yaml[36-44]
.tekton/conforma-cli-stack-pull-request.yaml[39-47]
.tekton/cli-v08-push.yaml[131-165]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Using `revision: main` for a git-resolved pipeline makes builds non-deterministic.
### Issue Context
The cli-stack PipelineRuns resolve the pipeline from git; the existing pipeline in this repo pins referenced bundles by digest.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[36-44]
- .tekton/conforma-cli-stack-pull-request.yaml[39-47]
### What to change
- Pin `pipelineRef.params.revision` to an immutable git commit SHA (or a signed/tagged immutable ref), and update it intentionally when you want pipeline changes.
- Optionally prefer a Tekton bundle reference pinned by digest if that’s the repo standard.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

View more (1)

6. Missing SA/namespace definitions 🐞 Bug ⛯ Reliability

Description

The new PipelineRuns target namespace: rhtas-tenant and `serviceAccountName:
build-pipeline-conforma-cli-stack`, but this repo contains no other references/manifests for that
namespace/service account, so these PipelineRuns are likely to fail in environments where those
resources are not pre-provisioned.

Code

.tekton/conforma-cli-stack-push.yaml[46]

+    serviceAccountName: build-pipeline-conforma-cli-stack

Evidence

Existing PipelineRuns in this repo are configured for rhtap-contract-tenant and a different
service account (build-pipeline-cli-v08). The cli-stack files introduce a new namespace/SA pair
not used elsewhere in the repository.

.tekton/conforma-cli-stack-push.yaml[16-18]
.tekton/conforma-cli-stack-push.yaml[45-47]
.tekton/conforma-cli-stack-pull-request.yaml[17-19]
.tekton/conforma-cli-stack-pull-request.yaml[48-50]
.tekton/cli-v08-push.yaml[17-19]
.tekton/cli-v08-push.yaml[534-536]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The new PipelineRuns assume a namespace and service account that are not referenced anywhere else in this repo.
### Issue Context
Other PipelineRuns use `rhtap-contract-tenant` and `build-pipeline-cli-v08`.
### Fix Focus Areas
- .tekton/conforma-cli-stack-push.yaml[16-18]
- .tekton/conforma-cli-stack-push.yaml[45-47]
- .tekton/conforma-cli-stack-pull-request.yaml[17-19]
- .tekton/conforma-cli-stack-pull-request.yaml[48-50]
### What to change
- Either update cli-stack PipelineRuns to use the existing namespace/SA conventions used by the repo, OR
- Add (or reference) the manifests/docs that provision `rhtas-tenant` and `build-pipeline-conforma-cli-stack` so this configuration is deployable and testable.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

7. Missing cancel-in-progress 🐞 Bug ⛯ Reliability ⭐ New

Description

The conforma-cli-stack pull-request PipelineRun omits
pipelinesascode.tekton.dev/cancel-in-progress, so repeated PR updates can queue multiple
concurrent builds instead of canceling obsolete runs (unlike the existing cli-v08 PR pipeline).

Code

.tekton/conforma-cli-stack-pull-request.yaml[R8-12]

+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
+      == "release-v0.8"
+  creationTimestamp: null

Evidence

cli-v08-on-pull-request explicitly sets pipelinesascode.tekton.dev/cancel-in-progress: "true",
but the new stack PR PipelineRun has only max-keep-runs and the CEL expression. This is a
behavioral difference that can increase cluster load and delay feedback on active PRs.

.tekton/conforma-cli-stack-pull-request.yaml[4-12]
.tekton/cli-v08-pull-request.yaml[4-12]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The PR PipelineRun for `conforma-cli-stack` doesn’t specify whether in-progress runs should be canceled when new commits are pushed to the PR. This can lead to redundant builds.

### Issue Context
The existing `cli-v08-on-pull-request` PipelineRun uses `pipelinesascode.tekton.dev/cancel-in-progress: "true"`.

### Fix Focus Areas
- .tekton/conforma-cli-stack-pull-request.yaml[4-12]

Add `pipelinesascode.tekton.dev/cancel-in-progress: "true"` (or explicitly set a desired value) to make the behavior intentional and consistent.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[sampras343]

@simonbaird

[simonbaird]

I think it needs a license preamble to avoid a lint error.

[sampras343]

addressed

[simonbaird]

I was expecting to see a verion number in the filename.

We are a little bit "multi-stream", i.e. we maintain and build more than one parallel release branch build. Right now we have v0.6, v0.7 and v0.8. (v0.6 would be retired soon after RHTAS 1.4 is shipped.).

So I think it's likely we should version the component name, so we can have say "conforma-cli-stack-v08" and later in the year we can introduce "conforma-cli-stack-v09". Wdyt?

[sampras343]

Similar multi stream approach here as well.
The current component created is under main$ by default, so the naming is conforma-cli-stack.
I will address this issue when I create the stack under 1.4 release of rhtas.
So the application would be like cli-stacks-v1-4 and the component under that could be conforma-cli-stack-v08.

[simonbaird]

Hmm okay.

[simonbaird]

Not a blocker, but I'm wondering why do you need the go-toolset? Seems like gzip and tar would be all that is needed, so why not use a lighter weight image to do the packaging?

[sampras343]

In one of my earlier tryouts, I tried using ubi-minimal but gzip was not found in that and I had to install on top of it which I felt was counter intuitive to already signed off packages within the image.
Plus, the final base image in the multi stage build is something minimal

[st3penta]

Looks good to me

[simonbaird]

I was thinking we should use the registry.redhat.io/rhtas/ec-rhel9:0.8 image here, but IIUC using the quay.io image means it works better with Konflux's nudging mechanism.

[robnester-rh]

Might be a good idea to pin to a known revision.

[simonbaird]

/ok-to-test

[simonbaird]

The acceptance test failure here is unexpected.

Created #3197 to (hopefully) fix it.

If that works and gets merged, I'll rebase this one and see if we can get it green.