WIP: use example files to see what works

[cpmeadors]

testing out konflux rapidast automation again

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0dac91a2-f0cb-4b45-8334-cc3607386721

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Two new Tekton Pipeline manifests are added for integration testing. Each pipeline provisions an isolated Kubernetes environment, deploys a test component from a snapshot image, manages pull secrets, and executes RapidAST security scanning against the deployed application.

Changes

Cohort / File(s)	Summary
Tekton Integration Pipelines .tekton/integration/rapidast-check.yaml, .tekton/integration/rapidast-integration-test.yaml	New Tekton Pipeline manifests (rapidast-integration-test) that define multi-step integration workflows: environment provisioning via eaas-provision-space/task-eaas-provision-space, application deployment from snapshot container images with kubeconfig and pull secret management, and RapidAST security scanning with inline configuration and port-forward targets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpmeadors

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [cpmeadors]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/integration/rapidast-check.yaml:
- Around line 64-67: The script currently enables shell tracing with "set -euxo
pipefail" while writing the kubeconfig from KUBECONFIG_VALUE to KUBECONFIG,
risking secret leakage; update the invocation so tracing is disabled around the
secret write (remove the -x flag or temporarily disable tracing with "set +x"
before the heredoc and re-enable after with "set -x"), keep strict failure flags
(e.g. "set -euo pipefail"), and ensure you write KUBECONFIG_VALUE to $KUBECONFIG
without printing its contents (refer to the existing use of KUBECONFIG_VALUE and
KUBECONFIG in the heredoc).
- Around line 123-124: The pipeline currently sets the git resolver revision to
the mutable branch name "konflux-example" (the revision field in
rapidast-check.yaml); replace that value with an immutable commit SHA for the
target repository so the task uses a fixed commit, e.g., update the value of the
revision key from "konflux-example" to the specific commit SHA you want to pin;
ensure the chosen SHA exists in the repo and update any associated TODO comment
to reflect the pinning.

In @.tekton/integration/rapidast-integration-test.yaml:
- Line 6: The pipeline name "rapidast-integration-test" collides with the
sibling manifest that uses the same pipeline name; update the pipeline metadata
name in this manifest to a unique identifier (e.g.,
"rapidast-integration-test-v2" or similar) so it won't overwrite the pipeline
defined in the other manifest, ensuring you change the metadata.name field that
currently equals "rapidast-integration-test".
- Around line 64-67: The script currently enables shell tracing with set -euxo
pipefail which can leak the secret KUBECONFIG_VALUE when you write it with cat
<<< "$KUBECONFIG_VALUE"; change to avoid tracing secrets by removing -x globally
(use set -euo pipefail) and temporarily disable tracing only around the secret
write: disable x (set +x), write the secret safely (use printf '%s'
"$KUBECONFIG_VALUE" > "$KUBECONFIG" instead of cat <<<), then re-enable tracing
if needed (set -x). Also do not echo the secret variable itself—keep the safe
confirmation message "Wrote kubeconfig for new environment to $KUBECONFIG" but
ensure it is printed after tracing is re-enabled so the secret content is never
logged.
- Around line 123-124: Replace the mutable git branch reference used for the
Tekton git resolver by changing the value under the "name: revision" entry
(currently "konflux-example") to the immutable commit SHA
"c15915e3d3b17e55ef7d9f5e3db7bec1fc0db492"; update the YAML where "name:
revision" / "value: konflux-example" occurs so the pipeline always uses that
specific commit (and remove or update the related TODO acknowledging the branch
pin once done).
- Around line 123-126: The pipeline parameters revision and pathInRepo currently
point to a non-existent upstream location; update the parameter named revision
from "konflux-example" to "development" and update pathInRepo from
".tekton/integration/rapidast-check.yaml" to
"examples/konflux/rapidast-check.yaml" so the git resolver can fetch the Task;
locate and change the values for the parameters named revision and pathInRepo in
the .tekton/integration/rapidast-integration-test.yaml manifest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: beea3ae7-94e2-4b34-a816-0b2b46240ecb

📥 Commits

Reviewing files that changed from the base of the PR and between 698bbad and ad3ad19.

📒 Files selected for processing (2)

• .tekton/integration/rapidast-check.yaml
• .tekton/integration/rapidast-integration-test.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Prevent kubeconfig secret leakage in logs.

Line 64 enables shell tracing (-x) while Line 66 handles secret content. This can leak kubeconfig into logs.

Suggested fix

-              set -euxo pipefail
+              set -euo pipefail

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	set -euxo pipefail
	cat <<< "$KUBECONFIG_VALUE" > "$KUBECONFIG"
	echo "Wrote kubeconfig for new environment to $KUBECONFIG"
	set -euo pipefail
	cat <<< "$KUBECONFIG_VALUE" > "$KUBECONFIG"
	echo "Wrote kubeconfig for new environment to $KUBECONFIG"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/integration/rapidast-check.yaml around lines 64 - 67, The script
currently enables shell tracing with "set -euxo pipefail" while writing the
kubeconfig from KUBECONFIG_VALUE to KUBECONFIG, risking secret leakage; update
the invocation so tracing is disabled around the secret write (remove the -x
flag or temporarily disable tracing with "set +x" before the heredoc and
re-enable after with "set -x"), keep strict failure flags (e.g. "set -euo
pipefail"), and ensure you write KUBECONFIG_VALUE to $KUBECONFIG without
printing its contents (refer to the existing use of KUBECONFIG_VALUE and
KUBECONFIG in the heredoc).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -fsSL 'https://api.github.com/repos/redhatproductsecurity/rapidast/commits/konflux-example' | jq -r '.sha'

Repository: openshift/kueue-operator

Length of output: 108

---

🏁 Script executed:

# Read the file around the specified lines
head -130 .tekton/integration/rapidast-check.yaml | tail -15

Repository: openshift/kueue-operator

Length of output: 624

---

🏁 Script executed:

# Check for other mutable references in the file (branches, tags, etc.)
rg "value: (main|master|develop|release|konflux)" .tekton/integration/rapidast-check.yaml -n

Repository: openshift/kueue-operator

Length of output: 106

---

🏁 Script executed:

# Get the full context of the rapidast-check.yaml file to understand its structure
wc -l .tekton/integration/rapidast-check.yaml

Repository: openshift/kueue-operator

Length of output: 111

---

Pin git resolver revision to an immutable commit SHA.

Line 124 references a mutable branch (konflux-example). Use a commit SHA for deterministic, safer CI behavior. The TODO comment on line 123 indicates this change is already planned.

Suggested fix

-          - name: revision
-            value: konflux-example
+          - name: revision
+            value: c15915e3d3b17e55ef7d9f5e3db7bec1fc0db492

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: revision
	value: konflux-example
	- name: revision
	value: c15915e3d3b17e55ef7d9f5e3db7bec1fc0db492

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/integration/rapidast-check.yaml around lines 123 - 124, The pipeline
currently sets the git resolver revision to the mutable branch name
"konflux-example" (the revision field in rapidast-check.yaml); replace that
value with an immutable commit SHA for the target repository so the task uses a
fixed commit, e.g., update the value of the revision key from "konflux-example"
to the specific commit SHA you want to pin; ensure the chosen SHA exists in the
repo and update any associated TODO comment to reflect the pinning.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid pipeline name collision with sibling manifest.

Line 6 uses rapidast-integration-test, and .tekton/integration/rapidast-check.yaml Line 6 uses the same name. Applying both manifests can overwrite one definition.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/integration/rapidast-integration-test.yaml at line 6, The pipeline
name "rapidast-integration-test" collides with the sibling manifest that uses
the same pipeline name; update the pipeline metadata name in this manifest to a
unique identifier (e.g., "rapidast-integration-test-v2" or similar) so it won't
overwrite the pipeline defined in the other manifest, ensuring you change the
metadata.name field that currently equals "rapidast-integration-test".

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Prevent kubeconfig secret leakage in logs.

Line 64 enables shell tracing (-x), and Line 66 handles KUBECONFIG_VALUE from a secret. This can expose kubeconfig content in task logs.

Suggested fix

-              set -euxo pipefail
+              set -euo pipefail

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/integration/rapidast-integration-test.yaml around lines 64 - 67, The
script currently enables shell tracing with set -euxo pipefail which can leak
the secret KUBECONFIG_VALUE when you write it with cat <<< "$KUBECONFIG_VALUE";
change to avoid tracing secrets by removing -x globally (use set -euo pipefail)
and temporarily disable tracing only around the secret write: disable x (set
+x), write the secret safely (use printf '%s' "$KUBECONFIG_VALUE" >
"$KUBECONFIG" instead of cat <<<), then re-enable tracing if needed (set -x).
Also do not echo the secret variable itself—keep the safe confirmation message
"Wrote kubeconfig for new environment to $KUBECONFIG" but ensure it is printed
after tracing is re-enabled so the secret content is never logged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -fsSL 'https://api.github.com/repos/redhatproductsecurity/rapidast/commits/konflux-example' | jq -r '.sha'

Repository: openshift/kueue-operator

Length of output: 108

---

🏁 Script executed:

# First, let's locate and examine the file
find . -name "rapidast-integration-test.yaml" -type f

Repository: openshift/kueue-operator

Length of output: 120

---

🏁 Script executed:

# Read the file around lines 123-124 to verify the content
if [ -f ".tekton/integration/rapidast-integration-test.yaml" ]; then
  sed -n '110,135p' ".tekton/integration/rapidast-integration-test.yaml" | cat -n
fi

Repository: openshift/kueue-operator

Length of output: 1247

---

🏁 Script executed:

# Check the full context of this resolver configuration
if [ -f ".tekton/integration/rapidast-integration-test.yaml" ]; then
  wc -l ".tekton/integration/rapidast-integration-test.yaml"
  echo "---"
  # Show lines around the target
  sed -n '115,130p' ".tekton/integration/rapidast-integration-test.yaml"
fi

Repository: openshift/kueue-operator

Length of output: 702

---

Pin git resolver revision to an immutable commit SHA.

Lines 123-124 use a mutable branch reference (konflux-example) instead of a commit SHA. This weakens reproducibility and can cause unintended behavior changes when the branch moves. A TODO comment on line 113 already acknowledges this should be changed.

The konflux-example branch resolves to commit c15915e3d3b17e55ef7d9f5e3db7bec1fc0db492. Replace the revision with this SHA:

Suggested fix

          - name: revision
-           value: konflux-example
+           value: c15915e3d3b17e55ef7d9f5e3db7bec1fc0db492

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: revision
	value: konflux-example
	- name: revision
	value: c15915e3d3b17e55ef7d9f5e3db7bec1fc0db492

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/integration/rapidast-integration-test.yaml around lines 123 - 124,
Replace the mutable git branch reference used for the Tekton git resolver by
changing the value under the "name: revision" entry (currently
"konflux-example") to the immutable commit SHA
"c15915e3d3b17e55ef7d9f5e3db7bec1fc0db492"; update the YAML where "name:
revision" / "value: konflux-example" occurs so the pipeline always uses that
specific commit (and remove or update the related TODO acknowledging the branch
pin once done).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

BASE='https://raw.githubusercontent.com/redhatproductsecurity/rapidast/konflux-example'

for PATH_IN_REPO in '.tekton/integration/rapidast-check.yaml' 'examples/konflux/rapidast-check.yaml'; do
  echo "=== Checking: ${PATH_IN_REPO} ==="
  curl -fsSL "${BASE}/${PATH_IN_REPO}" | awk '/^apiVersion:|^kind:/{print}'
  echo
done

Repository: openshift/kueue-operator

Length of output: 192

---

🏁 Script executed:

# Search for the file in the current repository
fd 'rapidast-check.yaml' .tekton/

Repository: openshift/kueue-operator

Length of output: 107

---

🏁 Script executed:

# Check the kind of the file in question
head -20 .tekton/integration/rapidast-check.yaml

Repository: openshift/kueue-operator

Length of output: 850

---

🏁 Script executed:

# Also check if there are any Tasks named rapidast-check
fd -t f 'rapidast-check' .tekton/

Repository: openshift/kueue-operator

Length of output: 107

---

🏁 Script executed:

# View the context around lines 123-126 in the integration test file
sed -n '110,140p' .tekton/integration/rapidast-integration-test.yaml

Repository: openshift/kueue-operator

Length of output: 1192

---

🌐 Web query:

redhatproductsecurity rapidast konflux-example branch .tekton/integration/rapidast-check.yaml

💡 Result:

In RedHatProductSecurity/rapidast, there isn’t a konflux-example branch (the repo’s default branch is development). The Konflux example files live under examples/konflux/, including:

• examples/konflux/rapidast-check.yaml (the Tekton task/pipeline snippet you’re looking for) [1]
• examples/konflux/integration-test.yaml (companion IntegrationTest example) [2]

Konflux docs also point to this same example pipeline in the RapiDAST integration guide. [3]

Sources: [1] [2] [3]

---

🏁 Script executed:

# Try to check if the remote file exists using a different method
# and see what's actually at that path
curl -fsSL 'https://raw.githubusercontent.com/redhatproductsecurity/rapidast/konflux-example/.tekton/integration/rapidast-check.yaml' 2>&1 | head -30

Repository: openshift/kueue-operator

Length of output: 116

---

🏁 Script executed:

# Check what's at the correct upstream path
curl -fsSL 'https://raw.githubusercontent.com/redhatproductsecurity/rapidast/development/examples/konflux/rapidast-check.yaml' 2>&1 | head -20

Repository: openshift/kueue-operator

Length of output: 829

---

Fix pathInRepo and revision parameters—they point to non-existent upstream location.

The revision: konflux-example branch does not exist in the redhatproductsecurity/rapidast repository (default branch is development), and the pathInRepo: .tekton/integration/rapidast-check.yaml path does not exist upstream. The correct path is examples/konflux/rapidast-check.yaml on the development branch. Update both parameters to point to the correct upstream location so the git resolver can successfully fetch the Task.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/integration/rapidast-integration-test.yaml around lines 123 - 126,
The pipeline parameters revision and pathInRepo currently point to a
non-existent upstream location; update the parameter named revision from
"konflux-example" to "development" and update pathInRepo from
".tekton/integration/rapidast-check.yaml" to
"examples/konflux/rapidast-check.yaml" so the git resolver can fetch the Task;
locate and change the values for the parameters named revision and pathInRepo in
the .tekton/integration/rapidast-integration-test.yaml manifest.

[openshift-ci]

@cpmeadors: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ci-bundle-kueue-bundle	0675208	link	true	/test ci-bundle-kueue-bundle

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.