Skip to content

Instantly share code, notes, and snippets.

@rhopp
Created June 11, 2026 11:53
Show Gist options
  • Select an option

  • Save rhopp/2ca13bdb5ae664e236bcf4038080f4e2 to your computer and use it in GitHub Desktop.

Select an option

Save rhopp/2ca13bdb5ae664e236bcf4038080f4e2 to your computer and use it in GitHub Desktop.
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: build-single
spec:
description: |
Build a single Python wheel by specifying the package and version directly,
bypassing the identify-packages step. Useful for manual/one-off builds.
Usage: pass e.g. package="requests==2.31.0"
params:
- description: Source Repository URL
name: git-url
type: string
- default: ""
description: Revision of the Source Repository
name: revision
type: string
- description: Fully Qualified Output Image
name: output-image
type: string
- default: .
description: Path to the source code of an application's component from where to build image.
name: path-context
type: string
- default: Dockerfile
description: Path to the Dockerfile inside the context specified by parameter path-context
name: dockerfile
type: string
- default: "false"
description: Force rebuild image
name: rebuild
type: string
- default: "false"
description: Skip checks against built image
name: skip-checks
type: string
- default: "false"
description: Execute the build with network isolation
name: hermetic
type: string
- default: ""
description: Build dependencies to be prefetched
name: prefetch-input
type: string
- default: ""
description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
name: image-expires-after
type: string
- default: "false"
description: Add built image into an OCI image index
name: build-image-index
type: string
- default: []
description: Array of --build-arg values ("arg=value" strings) for buildah
name: build-args
type: array
- default: ""
description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file
name: build-args-file
type: string
- default: "false"
description: Whether to enable privileged mode, should be used only with remote VMs
name: privileged-nested
type: string
- description: 'Package to build in name==version format (e.g. "requests==2.31.0")'
name: package
type: string
- default: "1"
description: Git clone depth
name: git-clone-depth
type: string
- name: enable-cache-proxy
default: 'false'
description: Enable cache proxy configuration
type: string
- name: sast-target-dirs
type: string
default: .
description: Target directories to scan with SAST tools. Multiple values should be separated with commas.
results:
- description: ""
name: IMAGE_URL
value: $(tasks.build-wheels.results.IMAGE_URL)
- description: ""
name: IMAGE_DIGEST
value: $(tasks.build-wheels.results.IMAGE_DIGEST)
- description: ""
name: CHAINS-GIT_URL
value: $(tasks.clone-repository.results.url)
- description: ""
name: CHAINS-GIT_COMMIT
value: $(tasks.clone-repository.results.commit)
tasks:
- name: init
params:
- name: image-url
value: $(params.output-image)
- name: rebuild
value: $(params.rebuild)
- name: skip-checks
value: $(params.skip-checks)
- name: enable-cache-proxy
value: $(params.enable-cache-proxy)
taskRef:
params:
- name: name
value: init
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08
- name: kind
value: task
resolver: bundles
- name: clone-repository
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.revision)
- name: fetchTags
value: "true"
- name: depth
value: $(params.git-clone-depth)
- name: ociStorage
value: $(params.output-image).git
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
taskRef:
params:
- name: name
value: git-clone-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205
- name: kind
value: task
resolver: bundles
workspaces:
- name: basic-auth
workspace: git-auth
- name: build-wheels
params:
- name: PACKAGES
value:
- $(params.package)
- name: IMAGE
value: $(params.output-image).wheel
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: WHEEL_SERVER_URL
value: https://packages.redhat.com/api/pypi/public-trusted-libraries/main/simple/
taskRef:
params:
- name: name
value: build-python-wheels-oci-ta
- name: bundle
value: quay.io/redhat-user-workloads/calunga-tenant/task-build-python-wheels@sha256:cefbc8f3df1246b43a9f0567485d613c63762e51ff78fbd31419d5bf02d260cf
- name: kind
value: task
resolver: bundles
- name: sast-snyk-check
params:
- name: image-digest
value: $(tasks.build-wheels.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-wheels.results.IMAGE_URL)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: TARGET_DIRS
value: $(params.sast-target-dirs)
taskRef:
params:
- name: name
value: sast-snyk-check-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
- name: sast-coverity-check
params:
- name: image-digest
value: $(tasks.build-wheels.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-wheels.results.IMAGE_URL)
- name: IMAGE
value: $(params.output-image)
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: $(params.hermetic)
- name: PREFETCH_INPUT
value: $(params.prefetch-input)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- $(params.build-args[*])
- name: BUILD_ARGS_FILE
value: $(params.build-args-file)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: TARGET_DIRS
value: $(params.sast-target-dirs)
taskRef:
params:
- name: name
value: sast-coverity-check-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:e92d00ed858233d0096627861192d3e4fc013cf1559c0d0b0ea0657d3377ce75
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
- input: $(tasks.coverity-availability-check.results.STATUS)
operator: in
values:
- success
- name: coverity-availability-check
taskRef:
params:
- name: name
value: coverity-availability-check
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:8b501440a960aec446db2ebc6625a49d0317a9fc7bf0f7bd9b18cb63052db7de
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
- name: sast-shell-check
params:
- name: image-digest
value: $(tasks.build-wheels.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-wheels.results.IMAGE_URL)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: TARGET_DIRS
value: $(params.sast-target-dirs)
taskRef:
params:
- name: name
value: sast-shell-check-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
- name: sast-unicode-check
params:
- name: image-digest
value: $(tasks.build-wheels.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-wheels.results.IMAGE_URL)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: TARGET_DIRS
value: $(params.sast-target-dirs)
taskRef:
params:
- name: name
value: sast-unicode-check-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785b
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
- name: clamav-scan
params:
- name: image-digest
value: $(tasks.build-wheels.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-wheels.results.IMAGE_URL)
taskRef:
params:
- name: name
value: clamav-scan
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:567cb66bd2e1f4b58b9d4d756f3317fc62479e0b40aa0de66094b1f12d296cfc
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
workspaces:
- name: git-auth
optional: true
- name: netrc
optional: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment