Uploaded image for project: 'Red Hat OpenShift Control Planes'
  1. Red Hat OpenShift Control Planes
  2. CNTRLPLANE-2579

Add script to update Tekton pipeline task bundles to latest trusted versions

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • HyperShift
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None

      Problem

      Tekton pipeline task bundles in .tekton/pipelines/ need to be periodically updated to use the latest trusted digests from the data-acceptable-bundles OCI artifact. This ensures:

      • Pipelines use the latest security fixes and improvements
      • Enterprise Contract policy checks pass (trusted_task.trusted)
      • Tasks don't expire and cause pipeline failures

      Currently this is a manual process that is easy to forget.

      Solution

      A script that script fetches trusted tasks data from quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest and updates pipeline YAML files to use the latest trusted task bundle digests.

      Features

      • Updates task bundle digests to latest trusted versions
      • Shows available version upgrades (e.g., 0.3 → 0.4)
      • With --upgrade-versions, also applies version upgrades
      • Supports dry-run mode for CI checks
      • JSON output for automation
      • Colored diff output

      Usage

      h1. Update digests only (shows available version upgrades as info)
./hack/tools/scripts/update_trusted_task_bundles.py .tekton/pipelines/*.yaml

h1. Check without applying (dry-run)
./hack/tools/scripts/update_trusted_task_bundles.py .tekton/pipelines/*.yaml --dry-run

h1. Also upgrade to newer versions  
./hack/tools/scripts/update_trusted_task_bundles.py .tekton/pipelines/*.yaml --upgrade-versions

h1. Show diff
./hack/tools/scripts/update_trusted_task_bundles.py .tekton/pipelines/*.yaml --dry-run --diff

      Requirements

      • Python 3.8+
      • PyYAML (pip install pyyaml)
      • skopeo (for fetching OCI artifacts)

      Follow-up Work

      A follow-up ticket should be created to add a periodic Prow job that:
      1. Runs this script in dry-run mode on a schedule (e.g., weekly)
      2. Opens a PR automatically if updates are available
      3. Alerts the team if pipelines are using outdated/expiring task bundles

      This will ensure HyperShift pipelines stay up-to-date with trusted task bundles without manual intervention.

      Acceptance Criteria

      • [x] Script is added to hack/tools/scripts/update_trusted_task_bundles.py
      • [x] Script can fetch trusted tasks data from OCI artifact
      • [x] Script can update pipeline YAML files with latest digests
      • [x] Script supports version upgrades with --upgrade-versions
      • [x] Script supports dry-run mode for CI
      • [ ] Follow-up ticket created for periodic Prow job

              asegurap1@redhat.com Antoni Segura Puimedon
              asegurap1@redhat.com Antoni Segura Puimedon
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: