Run any Skill in Manus with one click

$pwd:

working-with-provenance

Name: Working With Provenance
Author: konflux-ci

// Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code

Run Skill in Manus

$ git log --oneline --stat

stars:8

forks:9

updated:November 13, 2025 at 19:25

File Explorer

25 files

SKILL.md

readonly

name	working-with-provenance
description	Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code
allowed-tools	Bash(cosign download:), Bash(cosign verify:), Bash(jq:), Bash(~/.claude/skills/working-with-provenance/scripts/:*)

Working with Provenance

Overview

Every Konflux build produces SLSA provenance attestations containing the complete build history: source repository, commit SHA, pipeline run URL, and build parameters. Use cosign download attestation with jq to extract this information and trace artifacts back to their origins.

When to Use

Use this skill when you need to:

Find build logs for an image (missing SBOM, failed tasks, debugging)
Trace an image back to its source commit (what changed, code review)
Verify which repository and commit produced an artifact (security, compliance)
Extract build parameters or pipeline information (reproduce builds, debug configuration)

Do NOT use for non-Konflux images (Docker Hub, upstream images without attestations).

Quick Reference

Need	Command Pattern	Helper Script
Build log URL	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"'`	`~/.claude/skills/working-with-provenance/scripts/build-log-link.sh $IMAGE`
Commit link	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations \| ."pipelinesascode.tekton.dev/repo-url" + "/commit/" + ."pipelinesascode.tekton.dev/sha"'`	`~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh $IMAGE`
Git repository	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/repo-url"'`	`~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh $IMAGE`
Origin pullspec	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .subject[0].name + ":" + .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/sha"'`	`~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh $IMAGE`

Helper Scripts

This skill includes ready-to-use bash scripts that you can invoke directly:

# Extract build log URL
~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag

# Extract commit URL (handles GitHub and GitLab)
~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag

# Extract git repository URL
~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag

# Extract original pullspec with commit SHA
~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh quay.io/org/image:tag

Common Workflow

Investigating missing SBOM:

# 1. Get build log URL from provenance
LOG_URL=$(~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag)

# 2. Open logs in browser or use debugging-pipeline-failures skill
echo $LOG_URL

Tracing code changes:

# 1. Get commit link from provenance
COMMIT=$(~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag)

# 2. View the commit
echo $COMMIT  # Opens in browser

# 3. Check recent history
git clone $(~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag)

Attestation Structure

Konflux provenance lives at:

.payload (base64-encoded)
  └─ .predicate
       ├─ .buildConfig.tasks[0].invocation.environment.annotations
       │    ├─ pipelinesascode.tekton.dev/log-url      (pipeline logs)
       │    ├─ pipelinesascode.tekton.dev/repo-url     (git repository)
       │    └─ pipelinesascode.tekton.dev/sha          (commit SHA)
       └─ .subject[0].name                              (image name)

Common Mistakes

Mistake	Fix
Trying to parse image tags for commit info	Tags can be arbitrary. Use provenance for definitive source.
Manual UI navigation to find logs	Use `build-log-link.sh` - faster and scriptable.
Assuming images without Konflux builds have provenance	Only Konflux-built images have SLSA attestations via Tekton Chains.
Forgetting to base64 decode payload	Always use `.payload \| @base64d \| fromjson` pattern.

Real-World Example

# User reports: "Build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553... missing SBOM"

# 1. Extract build log URL
$ ~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5

# 2. Extract source commit
$ ~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
🐙 https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd

# Now: Open logs to debug SBOM task, review commit for context

Keywords

SLSA provenance, attestation, cosign, Tekton Chains, build logs, commit SHA, source tracing, artifact metadata, supply chain security, SBOM debugging, pipeline logs, container image verification

related-skills.json

same repository

konflux-is-a-build-tool.md

from "konflux-ci/agent-plugins"

Use this skill to query Konflux objects from the Kubernetes cluster. Konflux objects are application, component, pipelinerun, taskrun, snapshot and release. The skill can be used to query logs from failed or removed pipelines and pods.

2026-01-298

navigating-github-to-konflux-pipelines.md

from "konflux-ci/agent-plugins"

Use when GitHub PR or branch has failing checks and you need to find Konflux pipeline information (cluster, namespace, PipelineRun name). Teaches gh CLI commands to identify Konflux checks (filter out Prow/SonarCloud), extract PipelineRun URLs from builds and integration tests, and parse URLs for kubectl debugging.

2025-11-138

debugging-pipeline-failures.md

from "konflux-ci/agent-plugins"

Use when Konflux pipelines fail, are stuck, timeout, or show errors like ImagePullBackOff. Covers PipelineRun failures, TaskRun issues (Pending, Failed, stuck Running), build errors, and systematic debugging of Tekton pipeline problems using kubectl and logs.

2025-11-138

self-test-skill-invocation.md

from "konflux-ci/agent-plugins"

Use when user asks to "test skill invocation framework" or mentions "canary skill test". This is a self-test skill to verify the test framework correctly loads and invokes skills.

2025-11-128

understanding-konflux-resources.md

from "konflux-ci/agent-plugins"

Use when user asks about Konflux resources, Custom Resources, Applications, Components, Snapshots, IntegrationTestScenarios, ReleasePlans, ReleasePlanAdmissions, or namespace placement. Provides quick reference for what Konflux resources are, who creates them, and where they belong (tenant vs managed namespace).

2025-11-128

package.json

"author": "konflux-ci"

"repository": "konflux-ci/agent-plugins"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Network and Computer Systems AdministratorsComputer and Mathematical Occupations15-1244L4

name	working-with-provenance
description	Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code
allowed-tools	Bash(cosign download:), Bash(cosign verify:), Bash(jq:), Bash(~/.claude/skills/working-with-provenance/scripts/:*)

Working with Provenance

Overview

When to Use

Use this skill when you need to:

Find build logs for an image (missing SBOM, failed tasks, debugging)
Trace an image back to its source commit (what changed, code review)
Verify which repository and commit produced an artifact (security, compliance)
Extract build parameters or pipeline information (reproduce builds, debug configuration)

Do NOT use for non-Konflux images (Docker Hub, upstream images without attestations).

Quick Reference

Need	Command Pattern	Helper Script
Build log URL	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"'`	`~/.claude/skills/working-with-provenance/scripts/build-log-link.sh $IMAGE`
Commit link	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations \| ."pipelinesascode.tekton.dev/repo-url" + "/commit/" + ."pipelinesascode.tekton.dev/sha"'`	`~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh $IMAGE`
Git repository	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/repo-url"'`	`~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh $IMAGE`
Origin pullspec	`cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .subject[0].name + ":" + .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/sha"'`	`~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh $IMAGE`

Helper Scripts

This skill includes ready-to-use bash scripts that you can invoke directly:

# Extract build log URL
~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag

# Extract commit URL (handles GitHub and GitLab)
~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag

# Extract git repository URL
~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag

# Extract original pullspec with commit SHA
~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh quay.io/org/image:tag

Common Workflow

Investigating missing SBOM:

# 1. Get build log URL from provenance
LOG_URL=$(~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag)

# 2. Open logs in browser or use debugging-pipeline-failures skill
echo $LOG_URL

Tracing code changes:

# 1. Get commit link from provenance
COMMIT=$(~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag)

# 2. View the commit
echo $COMMIT  # Opens in browser

# 3. Check recent history
git clone $(~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag)

Attestation Structure

Konflux provenance lives at:

.payload (base64-encoded)
  └─ .predicate
       ├─ .buildConfig.tasks[0].invocation.environment.annotations
       │    ├─ pipelinesascode.tekton.dev/log-url      (pipeline logs)
       │    ├─ pipelinesascode.tekton.dev/repo-url     (git repository)
       │    └─ pipelinesascode.tekton.dev/sha          (commit SHA)
       └─ .subject[0].name                              (image name)

Common Mistakes

Mistake	Fix
Trying to parse image tags for commit info	Tags can be arbitrary. Use provenance for definitive source.
Manual UI navigation to find logs	Use `build-log-link.sh` - faster and scriptable.
Assuming images without Konflux builds have provenance	Only Konflux-built images have SLSA attestations via Tekton Chains.
Forgetting to base64 decode payload	Always use `.payload \| @base64d \| fromjson` pattern.

Real-World Example

# User reports: "Build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553... missing SBOM"

# 1. Extract build log URL
$ ~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5

# 2. Extract source commit
$ ~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
🐙 https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd

# Now: Open logs to debug SBOM task, review commit for context

Keywords

SLSA provenance, attestation, cosign, Tekton Chains, build logs, commit SHA, source tracing, artifact metadata, supply chain security, SBOM debugging, pipeline logs, container image verification

working-with-provenance

Working with Provenance

Overview

When to Use

Quick Reference

Helper Scripts

Common Workflow

Attestation Structure

Common Mistakes

Real-World Example

Keywords

More from this repository

More from this repository

Working with Provenance

Overview

When to Use

Quick Reference

Helper Scripts

Common Workflow

Attestation Structure

Common Mistakes

Real-World Example

Keywords