Konflux CI Tools
Tools for working with Konflux pipelines and builds. Several tasks are
available both as Claude Code skills (automated) and as standalone scripts
(manual). The standalone scripts live under hack/tools/ and require oc
access to the Konflux cluster (api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443)
in namespace crt-redhat-acm-tenant.
Predict which pipelines a PR triggers
You've changed a Containerfile and some Go code, and want to know which Konflux pipelines will fire before you push.
Tool: hack/tools/check-konflux-triggers/
Evaluates Pipelines-as-Code CEL expressions from .tekton/*pull-request*
files against the current branch's changed files. Uses the same gobwas/glob
and google/cel-go libraries as Pipelines as Code.
# Check which pipelines would trigger for your current changes:
(cd hack/tools && go run ./check-konflux-triggers/)
# Compare against a different base (e.g., your upstream remote):
(cd hack/tools && go run ./check-konflux-triggers/ upstream/main)
Build an image from a PR
Scenario 1: You opened a PR with an OCPBUGS fix and need the built image to deploy in a staging cluster for manual validation — but the PR hasn't merged yet.
Scenario 2: A colleague asks you to test their PR, but it was opened a week ago and the 5-day image expiry has already garbage-collected it from the registry. You need a fresh build with a longer TTL.
Skill: /konflux-build — creates a manual Konflux PipelineRun from a
PR with configurable image expiry (default 30 days).
# In Claude Code:
/konflux-build 8761
/konflux-build https://github.com/openshift/hypershift/pull/8761
Investigate Enterprise Contract failures
Your PR shows a red "enterprise-contract" check on GitHub. The check output
says something about untrusted tasks or policy violations, but the details
are sparse. The PipelineRun has already been archived and oc get returns
nothing.
Skill: /konflux-ec-violations — accesses archived PipelineRuns via
the KubeArchive REST API, retrieves the EC verify task's JSON report, and
summarises violations grouped by rule.
# In Claude Code, pass the PR number or URL:
/konflux-ec-violations 8761
The skill fetches the archived PipelineRun from KubeArchive, finds the
EC verify task pod, reads the step-report-json container logs, and
presents the violations with rule codes, descriptions, and suggested fixes.
Update outdated Tekton tasks
Enterprise Contract checks are failing with trusted_task.trusted — your
.tekton/ pipeline files reference task bundle digests that are no longer
in the trusted list.
Skill: /update-konflux-tasks — parses EC violation logs, identifies
outdated tasks, fetches migration notes from the
build-definitions repo,
and applies the digest updates.
# In Claude Code:
/update-konflux-tasks
Standalone scripts
The skill uses two scripts that can also be run directly:
hack/tools/scripts/update_trusted_task_bundles.py — fetches the
trusted tasks data from the Konflux data-acceptable-bundles OCI artifact
and updates pipeline YAML files to the latest trusted digests.
# Update all .tekton/ pipeline files at once:
hack/tools/scripts/update_trusted_task_bundles.py
# Update only the operator push pipeline:
hack/tools/scripts/update_trusted_task_bundles.py .tekton/hypershift-operator-main-push.yaml
Prerequisites: python3, oras
hack/tools/scripts/find_task_version_by_digest.sh — maps a task
container image digest to its semantic version tag. Useful when an EC
violation message gives you a digest like sha256:a7cc... and you need
to know "is this version 0.8 or 0.9?".
# Find which version of clair-scan corresponds to a digest:
hack/tools/scripts/find_task_version_by_digest.sh clair-scan \
sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af
Prerequisites: skopeo, jq
Test tag pipeline changes
You're modifying the tag pipeline definition in .tekton/ (e.g., adding a
new build step or changing the multi-arch platforms). You need to verify
the changes actually work before merging — but tag pipelines only trigger
on git tag pushes, so normal PR CI won't exercise them.
Skill: /test-tag-pipeline — creates a manual PipelineRun from a tag
commit using your branch's pipeline definition, waits for it to complete,
and optionally triggers EC validation via a Snapshot.
# In Claude Code, from your branch with tag pipeline changes:
/test-tag-pipeline v0.1.69
Standalone scripts
The skill orchestrates two scripts that can be used independently:
hack/tools/scripts/create-manual-tag-pipelinerun.sh — creates the
manual PipelineRun by patching the tag pipeline YAML with your branch's
commit SHA and submitting it.
# Test the tag pipeline from main against tag v0.1.69:
hack/tools/scripts/create-manual-tag-pipelinerun.sh v0.1.69
# Test using the pipeline definition from your fork branch:
hack/tools/scripts/create-manual-tag-pipelinerun.sh v0.1.69 celebdor:fix-tag-pipeline
# Then watch the PipelineRun until it finishes:
oc get pipelinerun -n crt-redhat-acm-tenant -w -l pipelinesascode.tekton.dev/event-type=push
Prerequisites: oc, yq
hack/tools/scripts/create-snapshot-from-pipelinerun.sh — after the
build completes, creates an appstudio.redhat.com/v1alpha1 Snapshot
resource to trigger Enterprise Contract (EC) validation on the resulting
image. The Snapshot links the built container image back to its source
commit and target branch, which is exactly the metadata EC needs to run
its policy checks.
The script has two modes:
- From a live PipelineRun — extracts
IMAGE_URL,IMAGE_DIGEST, commit SHA, and target branch directly from the PipelineRun'sstatus.resultsand annotations. - Direct image parameters — useful when the PipelineRun has already been garbage-collected. You provide the image coordinates and commit metadata explicitly.
# Mode 1: From a completed PipelineRun (extracts image details automatically):
hack/tools/scripts/create-snapshot-from-pipelinerun.sh \
hypershift-operator-main-manual-v0.1.69-abc12
# Mode 2: Direct parameters (e.g., after PipelineRun was garbage-collected):
hack/tools/scripts/create-snapshot-from-pipelinerun.sh \
--image-url quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-operator-main:v0.1.69 \
--image-digest sha256:016e754d... \
--pipelinerun hypershift-operator-main-manual-v0.1.69-gb49w \
--commit 6e6ecadc61361e4fe359af34dcdee17df06c664e \
--target-branch refs/tags/v0.1.69
# Monitor the resulting EC IntegrationTestScenario run:
oc get snapshot <snapshot-name> -n crt-redhat-acm-tenant -w
oc get pipelinerun -n crt-redhat-acm-tenant -l appstudio.openshift.io/snapshot=<snapshot-name>
Prerequisites: oc, jq