// Use when CI behaves unexpectedly, when you need to understand how Tekton bundles are built, or when understanding non-obvious behavior with templated workflows, Checkton, migration validation, kustomize checks, or trusted artifacts generation.
Use when a scan task fails in a pipeline, when task results have unexpected values, when understanding scan output formats, or when debugging bundle build failures.
Use before pushing a PR for review, when CI checks fail, or when reviewing someone else's PR. Pre-push checklist covering all CI requirements, commit conventions, and documentation for task catalog PRs.
Use when creating task variants (remote, trusted-artifacts), working with recipe.yaml files, or when the check-ta CI workflow fails. Covers both Go generators, the recipe format, and the generation pipeline.
Use when creating a new task version, bumping version labels, writing migration scripts, or when versioning/migration CI checks fail. Covers version labels, CHANGELOG.md, migration scripts with pmt modify, and kustomized variant updates.
Use when writing tests for a Tekton task, running tests locally, debugging test failures in CI, or understanding the three testing layers (Kind cluster, Tekton integration, ShellSpec).
| name | ci-cd-quirks |
| description | Use when CI behaves unexpectedly, when you need to understand how Tekton bundles are built, or when understanding non-obvious behavior with templated workflows, Checkton, migration validation, kustomize checks, or trusted artifacts generation. |
This repo's CI is heterogeneous: templated GitHub Actions workflows, task-specific Tekton build pipelines with CEL-based path triggers, Conforma policies, and shared CI update automation. Several behaviors are non-obvious.
Files with <TEMPLATED FILE!> header come from task-repo-shared-ci.
Templated (do NOT edit):
hack/ directory.github/workflows/ (except task-specific ones).github/scripts/Local (edit freely):
task/ YAML files and directories.tekton/ build pipelines.tekton/integration/ test definitionspolicies/ Conforma policiesCODEOWNERS, renovate.json, README.mdUpdate template:
cruft update --skip-apply-ask --allow-untracked-files
Automated weekly via update-shared-ci.yaml workflow.
Each task version gets its own Tekton PipelineRun definition: .tekton/<task>-<ver>-pull-request.yaml and .tekton/<task>-<ver>-push.yaml
These are templated via Pipelines-as-Code and triggered by CEL expressions matching path changes.
Example: clair-scan-v03-pull-request.yaml triggers on changes to task/clair-scan/***
Build output:
quay.io/redhat-user-workloads/rhtap-integration-tenant/<task>:<tag>on-pr-<git-revision><git-revision><major.minor> — always points to latest bundle<task>-<identifier> — immutable snapshot
Both tags point to same image; use fixed tag for stability.
Checkton lints shell scripts embedded in YAML files.
Workflow: .github/workflows/checkton.yaml
What it checks: ShellCheck rules on every script: block in Tekton files
Behavior:
task-generator/ directoryhack/checkton-local.sh (requires podman/docker)Inline directives work:
script: |
# shellcheck disable=SC2016 # Single quotes with $ are fine
echo "$(params.my-param)"
Common failures:
$ (use double quotes for interpolation)"$var" not $var)Workflow: .github/workflows/task-lint.yaml
What it checks: $(params.*) used directly in .spec.steps[].script blocks
Why it fails: Raw parameter substitution = code injection risk. Tekton performs text replacement before script execution.
Correct pattern:
spec:
steps:
- name: my-step
env:
- name: IMAGE_URL
value: "$(params.image-url)"
script: |
echo "$IMAGE_URL" # NOT $(params.image-url)
Workflow: .github/workflows/check-task-migration.yaml
Requirements:
kubectl apply -f release.yaml)pmt (pipeline-migration-tool) in PATHValidation steps:
migrations/*.sh filesyq -i used instead of pmt modifyLocal testing:
# Prerequisites
kind create cluster
kubectl apply -f https://github.com/tektoncd/pipeline/releases/latest/download/release.yaml
go install github.com/konflux-ci/pipeline-migration-tool/cmd/pmt@latest
# Validate
IN_CLUSTER=1 bash ./hack/validate-migration.sh
Gotchas:
Workflow: .github/workflows/check-kustomize-build.yaml
What it checks: Generated manifest files are up to date
Command: hack/build-manifests.sh (uses oc kustomize binary)
Requirement: OpenShift CLI (oc) installed
Scope: Only rebuilds tasks with kustomization.yaml that reference external resources
Gotcha: Kustomize auto-adds comment # <auto-generated> at top of output — don't remove it
Workflow: .github/workflows/check-ta.yaml
Two checks:
hack/generate-ta-tasks.sh — generates from recipe.yamlhack/missing-ta-tasks.sh — flags workspace-using tasks without -oci-ta variantIgnore file (optional): .github/.ta-ignore.yaml or .ta-ignore.yaml
This file does not exist in this repo by default. Create it only when you need to exclude specific tasks or workspace names from the TA check.
paths:
- task/some-task/* # Don't require TA variant for this task
workspaces:
- netrc-auth # Workspace names that don't share data
- git-auth
Gotcha: Only tasks with workspaces that share data between tasks need TA variants. Read-only or local workspaces don't.
Location: policies/
Files:
all-tasks.yaml — Policies applied to all task bundlesbuild-tasks.yaml — Build-specific policiesstep-actions.yaml — Step action policiesPolicy enforcement: During bundle image build via Enterprise Contract
When regenerating multiple types of variants, run in this order:
hack/build-manifests.sh # Kustomize first
hack/generate-ta-tasks.sh # TA variants second
hack/generate-buildah-remote.sh # Remote variants last (if exists)
Or just: hack/generate-everything.sh
Why order matters: Later generators may depend on outputs of earlier ones.
| Surprise | Explanation |
|---|---|
| PR only triggers some Tekton pipelines | CEL expression scopes trigger to specific task paths. Check .tekton/<task>-pull-request.yaml. |
| "Stale manifests" even though I changed the right file | Kustomized task requires hack/build-manifests.sh. Re-run if you touched kustomization.yaml or patch.yaml. |
| Checkton flags inline script I didn't change | Differential mode uses full git history. Run locally: hack/checkton-local.sh to verify. |
| Migration check passes locally but fails in CI | Local version may not have Tekton installed. CI has it. Use IN_CLUSTER=1 bash ./hack/validate-migration.sh locally. |
generate-everything.sh changed files I didn't modify | Generators are deterministic but may update manifests when templates change. Commit generated files. |
Can't find generate-buildah-remote.sh | Verify it exists: ls hack/generate-buildah-remote.sh. May be added/removed by cruft updates. |
pmt commands are idempotent, but your script might not be. Test running migration twice.hack/check-task-owners.sh validates this.