Trigger conforma e2e tests on cli pull requests

[cuipinghuo]

Add a PipelineRun that triggers the conforma/e2e-tests pipeline when a PR targets the main branch, using the Tekton git resolver.

Ref: https://redhat.atlassian.net/browse/KONFLUX-14184

[coderabbitai]

Warning

Review limit reached

@cuipinghuo, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 5f58ec66-3fc6-4b83-ad2d-9dd255026bb7

📥 Commits

Reviewing files that changed from the base of the PR and between 0de5cb1 and 39afc8b.

📒 Files selected for processing (1)

• .tekton/cli-e2e-pull-request.yaml

📝 Walkthrough

Walkthrough

This PR introduces a new Tekton PipelineRun manifest that automatically triggers E2E tests on pull requests targeting the main branch. The manifest configures pipeline parameters for git repository, container registry, and AWS credentials, and resolves the pipeline definition from the external conforma/e2e-tests repository.

Changes

E2E PipelineRun Definition

Layer / File(s)

Summary

PipelineRun Manifest and Configuration .tekton/cli-e2e-pull-request.yaml

New Tekton PipelineRun named cli-e2e-on-pull-request in the rhtap-contract-tenant namespace. Metadata and AppStudio/Tekton annotations declare the resource identity, configure a CEL trigger condition to run only on pull requests targeting main, enable run cancellation-in-progress, and set retention limits. The spec wires parameters for the E2E tests git repository, OCI container registry with credentials, and AWS credentials/deprovision secrets. A pipelineRef resolver points to .tekton/pipelines/conforma-e2e/pipeline.yaml in the conforma/e2e-tests git repo, and taskRunTemplate assigns the konflux-integration-runner service account for task execution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a trigger for conforma e2e tests on CLI pull requests via a new Tekton PipelineRun manifest.
Description check	✅ Passed	The description is directly related to the changeset, explaining the addition of a PipelineRun manifest that triggers e2e tests on PRs targeting main.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[fullsend-ai-review]

🤖 Review · Started 7:23 PM UTC
Commit: 47d3320 · View workflow run →

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/cli-e2e-pull-request.yaml:
- Line 4: The manifest contains a duplicate YAML mapping key "metadata.name"
which makes the resource invalid; remove the redundant "metadata.name" entry so
only a single metadata.name is present in the same mapping (locate the duplicate
"metadata.name" keys in the resource block and delete the second occurrence or
merge its value into the first), ensuring the final YAML has exactly one
metadata.name definition for this resource.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 30a1eea7-c2c1-4ca8-9a5e-d4852e442f0c

📥 Commits

Reviewing files that changed from the base of the PR and between c6df9ad and 0de5cb1.

📒 Files selected for processing (1)

• .tekton/cli-e2e-pull-request.yaml

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 7:33 PM UTC · Completed 7:40 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

Review

Findings

Medium

• [logic-error] .tekton/cli-e2e-pull-request.yaml:30 — The parameter aws-credentials-secret is declared twice with identical name and value (mapt-kind-secret). Tekton requires unique parameter names in a PipelineRun; duplicate entries will cause the PipelineRun to fail validation at submission time. This is a copy-paste error.
  Remediation: Remove one of the two aws-credentials-secret entries.

• [unpinned-pipeline-ref] .tekton/cli-e2e-pull-request.yaml:36 — The pipelineRef uses the Tekton git resolver to fetch a pipeline from conforma/e2e-tests.git at revision main without a commit-SHA pin. A compromise of the main branch (or a force-push) would silently change what pipeline definition executes in this tenant. The existing .tekton files pin every task reference to an immutable bundle digest. See also: [secret-exposure] finding.
  Remediation: Pin the git resolver revision parameter to a specific commit SHA instead of the mutable branch name main.

• [secret-exposure] .tekton/cli-e2e-pull-request.yaml:28 — Secret references (konflux-test-infra and mapt-kind-secret) are passed as parameters to a pipeline fetched from an unpinned mutable git ref. A compromised upstream pipeline definition could exfiltrate these secrets. See also: [unpinned-pipeline-ref] finding.
  Remediation: Pin the pipeline ref revision to a specific commit SHA.

Low

• [service-account-divergence] .tekton/cli-e2e-pull-request.yaml:42 — Uses serviceAccountName konflux-integration-runner instead of the existing build-pipeline-cli-main. This is expected since the new file is a test pipeline (type: test) rather than a build pipeline.

Info

• [sub-agent-failure] The style-conventions and intent-coherence sub-agents were unavailable (model not deployed). These are non-critical review dimensions for this change.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] logic-error

The parameter aws-credentials-secret is declared twice with identical name and value (mapt-kind-secret). In Tekton, spec.params requires unique parameter names in a PipelineRun; duplicate entries will cause the PipelineRun to fail validation at submission time. This is a copy-paste error.

Suggested fix: Remove one of the two aws-credentials-secret entries.

[fullsend-ai-review]

[medium] unpinned-pipeline-ref

The pipelineRef uses the Tekton git resolver to fetch a pipeline from https://github.com/conforma/e2e-tests.git at revision main without a commit-SHA pin. A compromise of the main branch of conforma/e2e-tests (or a force-push) would silently change what pipeline definition executes in this tenant. The existing .tekton files pin every task reference to an immutable bundle digest. See also: [secret-exposure] finding at this location.

Suggested fix: Pin the git resolver revision parameter to a specific commit SHA instead of the mutable branch name main. Update the SHA deliberately when the upstream pipeline changes.

[fullsend-ai-review]

[medium] secret-exposure

Secret references (konflux-test-infra and mapt-kind-secret) are passed as parameters to a pipeline fetched from an unpinned mutable git ref (revision main). A compromised upstream pipeline definition could exfiltrate these secrets. This is a direct consequence of the unpinned pipeline ref. See also: [unpinned-pipeline-ref] finding at this location.

Suggested fix: Pin the pipeline ref revision to a specific commit SHA to prevent a compromised upstream from accessing these secrets.

[fullsend-ai-review]

[low] service-account-divergence

The new PipelineRun uses serviceAccountName konflux-integration-runner, whereas the existing build PipelineRuns use build-pipeline-cli-main. This is expected since the new file is an integration test pipeline (type: test) rather than a build pipeline (type: build), and using a dedicated SA for integration tests is a standard Konflux pattern.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	53.56% <ø> (-2.04%)	⬇️
generative	16.87% <ø> (-0.95%)	⬇️
integration	27.80% <ø> (+1.24%)	⬆️
unit	69.05% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 13 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.