// Use when creating task variants (remote, trusted-artifacts), working with recipe.yaml files, or when the check-ta CI workflow fails. Covers both Go generators, the recipe format, and the generation pipeline.
| name | task-generator-usage |
| description | Use when creating task variants (remote, trusted-artifacts), working with recipe.yaml files, or when the check-ta CI workflow fails. Covers both Go generators, the recipe format, and the generation pipeline. |
Two Go programs in task-generator/ generate task variants: remote for multi-platform builds, and trusted-artifacts for OCI-based artifact sharing. Trusted-artifacts is enforced by CI; remote is optional.
recipe.yaml configuration| Generator | Path | Purpose | Use When |
|---|---|---|---|
| Trusted Artifacts | task-generator/trusted-artifacts/ | Generates OCI-TA variants from recipe.yaml | Task uses workspaces to share data |
| Remote | task-generator/remote/ | Generates multi-platform variants | Need multiple architectures (x86, arm64) |
Any task that uses workspaces to share data with other tasks needs a TA variant.
The CI check hack/missing-ta-tasks.sh in .github/workflows/check-ta.yaml enforces this automatically.
Exception: Workspace is listed in .ta-ignore.yaml (e.g., netrc-auth for read-only creds)
Step 1: Create directory mirroring base task structure
task/<task-name>-oci-ta/
Step 2: Create recipe.yaml (TA generator configuration)
---
base: ../../<task-name>/<task-name>.yaml
add:
- create-source
- use-source
removeWorkspaces:
- source # Remove workspaces no longer needed in TA variant
replacements:
- old: image: quay.io/external/image
new: image: quay.io/internal/image
addParams:
- name: ca-trust-config-map
description: ConfigMap with CA certs
type: string
addResult:
- name: ta-report
type: string
Step 3: Generate the TA variant YAML
hack/generate-ta-tasks.sh
Output: task/<task-name>-oci-ta/<task-name>-oci-ta.yaml (auto-generated)
Step 4: Commit both recipe.yaml and generated YAML
git add task/<task-name>-oci-ta/
git commit -m "feat: add trusted-artifacts variant of <task-name>"
Basic options:
| Option | Purpose | Example |
|---|---|---|
base | Path to base task YAML (relative to recipe.yaml) | ../../clair-scan/clair-scan.yaml |
add | Transformations to apply | create-source, use-source, copy-from-source |
removeWorkspaces | Workspace names to remove | source, temp |
removeSteps | Step names to remove from task | setup, cleanup |
replacements | String replacements in YAML | old: / new: pairs |
regexReplacements | Regex-based replacements | regex: / replacement: pairs |
addParams | Parameters to add | name:, type:, description: |
addResults | Results to add | name:, type: |
addEnvironment | Environment variables | name:, value: |
Detailed format:
base: ../../task-name/task-name.yaml
add:
- create-source # Creates source archive from input workspace
- use-source # Uses source archive instead of workspace
- copy-from-source # Copies specific files from archive
removeWorkspaces:
- workspace-name
removeSteps:
- step-name
replacements:
- old: "old-string"
new: "new-string"
regexReplacements:
- regex: "pattern.*"
replacement: "new-value"
addParams:
- name: param-name
type: string
default: "default-value"
description: "Description of parameter"
addResults:
- name: result-name
type: string
addEnvironment:
- name: ENV_VAR
value: "value"
For kustomized tasks (like -min variants), the TA variant can also be kustomized.
Structure:
task/<task-name>-oci-ta/
├── CHANGELOG.md
├── recipe.yaml
└── kustomization.yaml # References base TA variant
Example kustomization.yaml:
bases:
- ../../<task-name>-oci-ta
patchesStrategicMerge:
- patch.yaml
For complete recipe.yaml format and examples, see the upstream repository:
https://github.com/konflux-ci/build-definitions/tree/main/task-generator/trusted-artifacts
When regenerating multiple types of variants, run in this exact order:
hack/build-manifests.sh # Step 1: Kustomize manifests
hack/generate-ta-tasks.sh # Step 2: Trusted-artifacts variants
hack/generate-buildah-remote.sh # Step 3: Remote variants
Or run all at once:
hack/generate-everything.sh
Why order matters: Later generators depend on outputs of earlier ones.
Both generators have unit tests:
cd task-generator/trusted-artifacts
go test ./...
cd ../remote
go test ./...
Golden tests: Reference test outputs in task-generator/trusted-artifacts/golden/
These ensure generated YAML is reproducible and matches expected format.
If a workspace-using task should NOT have a TA variant, add it to .ta-ignore.yaml:
Path: .github/.ta-ignore.yaml or .ta-ignore.yaml (highest precedence first)
# Task paths (glob patterns) to ignore
paths:
- task/some-task/*
- task/another-task/*/*
# Workspace names that don't require TA variants
# (local or read-only workspaces, not shared between tasks)
workspaces:
- netrc-auth
- git-auth
- ca-trust
Workflow: .github/workflows/check-ta.yaml
Checks:
hack/generate-ta-tasks.sh succeedshack/missing-ta-tasks.sh finds no workspace-using tasks without TA variants| Mistake | Fix |
|---|---|
| Generated YAML file not committed | Run hack/generate-ta-tasks.sh, commit output alongside recipe.yaml |
| recipe.yaml path wrong | Use relative path from recipe.yaml to base task. Verify with ls from recipe.yaml location. |
Missing -oci-ta CHANGELOG.md | Create task/<name>-oci-ta/CHANGELOG.md with same format as base task |
| Go mod tidy drift in generator | cd task-generator/<dir> && go mod tidy && go mod vendor |
| Generator binary not in PATH | Install: go install ./cmd/... from task-generator directory |
| Edited generated YAML by hand | Don't. Regenerate from recipe.yaml. Your edits will be lost on next run. |
| Wrong base task path in recipe.yaml | Check path exists: ls $(dirname recipe.yaml)/<base-path> |
Use when CI behaves unexpectedly, when you need to understand how Tekton bundles are built, or when understanding non-obvious behavior with templated workflows, Checkton, migration validation, kustomize checks, or trusted artifacts generation.
Use when a scan task fails in a pipeline, when task results have unexpected values, when understanding scan output formats, or when debugging bundle build failures.
Use before pushing a PR for review, when CI checks fail, or when reviewing someone else's PR. Pre-push checklist covering all CI requirements, commit conventions, and documentation for task catalog PRs.
Use when creating a new task version, bumping version labels, writing migration scripts, or when versioning/migration CI checks fail. Covers version labels, CHANGELOG.md, migration scripts with pmt modify, and kustomized variant updates.
Use when writing tests for a Tekton task, running tests locally, debugging test failures in CI, or understanding the three testing layers (Kind cluster, Tekton integration, ShellSpec).