// Accesses archived Konflux PipelineRuns, TaskRuns, and pod logs via KubeArchive. Auto-applies when checking Konflux PipelineRun results, investigating enterprise contract failures, or retrieving logs from completed Konflux CI runs.
Build and push control-plane-operator container image. Auto-applies when testing CPO changes that require deploying to a live cluster.
Build and push hypershift-operator container image. Auto-applies when testing HO changes that require deploying to a live cluster.
Create a HyperShift HostedCluster on AWS for development and testing, with optional custom CPO/HO images.
Destroy a HyperShift HostedCluster and all associated AWS infrastructure (VPC, IAM, Route53, etc.).
Provides the ability to run and iterate on HyperShift e2e tests. Auto-applies when implementing features that require e2e validation, fixing e2e test failures, or working on tasks that need live cluster testing.
Create development environments with git worktrees, branches, commits, and push to remote. Auto-applies for git workflow tasks.
| name | Konflux Archived PipelineRuns |
| description | Accesses archived Konflux PipelineRuns, TaskRuns, and pod logs via KubeArchive. Auto-applies when checking Konflux PipelineRun results, investigating enterprise contract failures, or retrieving logs from completed Konflux CI runs. |
This skill provides the workflow for accessing Konflux PipelineRuns that have been archived by the kube archiver. PipelineRuns are archived quickly after completion and are typically NOT available via oc get. Use the KubeArchive REST API to retrieve PipelineRun details, TaskRun results, and pod logs.
This skill automatically applies when:
oc get in the Konflux namespacecrt-redhat-acm-tenantapi.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443oc getArchived PipelineRuns, TaskRuns, pods, and pod logs are accessible through the KubeArchive REST API:
KA_HOST="https://kubearchive-api-server-product-kubearchive.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com"
Authentication uses the oc token:
curl -s -H "Authorization: Bearer $(oc whoami -t)" "${KA_HOST}/livez"
curl -s -H "Authorization: Bearer $(oc whoami -t)" \
"${KA_HOST}/apis/tekton.dev/v1/namespaces/crt-redhat-acm-tenant/pipelineruns/<PIPELINERUN_NAME>"
Child TaskRun references are in status.childReferences:
data['status']['childReferences'] # list of {name, kind, apiVersion, pipelineTaskName}
curl -s -H "Authorization: Bearer $(oc whoami -t)" \
"${KA_HOST}/apis/tekton.dev/v1/namespaces/crt-redhat-acm-tenant/taskruns/<TASKRUN_NAME>"
TaskRun results are in status.results.
curl -s -H "Authorization: Bearer $(oc whoami -t)" \
"${KA_HOST}/api/v1/namespaces/crt-redhat-acm-tenant/pods?labelSelector=tekton.dev/taskRun=<TASKRUN_NAME>"
List available containers first from the pod spec (spec.initContainers and spec.containers), then fetch logs:
curl -s -H "Authorization: Bearer $(oc whoami -t)" \
"${KA_HOST}/api/v1/namespaces/crt-redhat-acm-tenant/pods/<POD_NAME>/log?container=<CONTAINER_NAME>"
HEAD_SHA=$(gh pr view <PR> --repo openshift/hypershift --json headRefOid -q .headRefOid)
# Find failing EC check runs
gh api repos/openshift/hypershift/commits/${HEAD_SHA}/check-runs --paginate \
--jq '.check_runs[] | select(.name | test("enterprise-contract")) | select(.conclusion == "failure") | {name: .name, id: .id}'
# Get PipelineRun names from check output
gh api repos/openshift/hypershift/commits/${HEAD_SHA}/check-runs --paginate \
--jq '.check_runs[] | select(.name | test("enterprise-contract")) | select(.conclusion == "failure") | .output.text'
The PipelineRun name appears in an <a href="..."> tag in the output text.
The EC verify task pod has these containers with useful output:
step-report-json - Structured JSON with all violations (preferred)step-summary - Human-readable summarystep-detailed-report - Detailed report{
"success": false,
"components": [{
"name": "component-name",
"containerImage": "quay.io/...",
"violations": [{
"msg": "Human-readable message",
"metadata": {
"code": "rule.code.name",
"title": "Rule title",
"description": "Rule description",
"solution": "How to fix"
}
}]
}]
}
Group violations by metadata.code and present a summary with counts, rule names, and individual messages.
tasks.required_untrusted_task_foundA required task is present but not resolved from a trusted version. Fix by updating the task reference in .tekton/ pipeline files.
trusted_task.trustedA task version is not in the trusted task list. The violation message includes the required SHA to upgrade to. Fix by updating task digests in .tekton/ pipeline files.
oc whoami -t fails: User must log in to the Konflux cluster with oc login/livez fails: Check that oc is logged in to the correct cluster (api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443)oc get directly in namespace crt-redhat-acm-tenant