Skip to content

fix: VSA generation issues in verify-conforma-konflux-ta task#3118

Draft
arewm wants to merge 2 commits intoconforma:mainfrom
arewm:fix/ta-missing-basename
Draft

fix: VSA generation issues in verify-conforma-konflux-ta task#3118
arewm wants to merge 2 commits intoconforma:mainfrom
arewm:fix/ta-missing-basename

Conversation

@arewm
Copy link
Contributor

@arewm arewm commented Feb 17, 2026
edited
Loading

Summary

Fixes three issues with the verify-conforma-konflux-ta task when VSA generation is enabled:

  • Missing sourceDataArtifact param: The create-trusted-artifact step was not receiving the sourceDataArtifact param, causing basename "" to fail with "missing operand"
  • VSA output path rejected by ec CLI: --attestation-output-dir must point to a path under /tmp or the current working directory. Writing directly to /var/workdir/vsa was silently rejected, producing an empty directory. Fixed by writing to /tmp/vsa-output then copying to the workdir for trusted artifact archival
  • Trailing newlines in results: echo "true" writes "true\n" which doesn't match "true" in Tekton When Expressions, causing downstream tasks to be skipped. Fixed with echo -n
  • --vsa-upload only for dsse format: The local@ backend requires a signing key, so it should only be passed when ATTESTATION_FORMAT=dsse

Test plan

  • Validated end-to-end in a Kind cluster with Konflux: verify-conforma produces VSA files in the trusted artifact, downstream attach-vsa task extracts and attaches them to container images

🤖 Generated with Claude Code

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Feb 17, 2026

Review Summary by Qodo

Add missing sourceDataArtifact parameter to trusted artifact task

🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Add missing sourceDataArtifact parameter to trusted artifact task
• Fixes basename error when pushing trusted artifacts
• Properly sets sourceDataArtifact from previous task results
Diagram 
flowchart LR
  A["Task Parameters"] -->|missing sourceDataArtifact| B["basename Error"]
  C["Previous Task Results"] -->|sourceDataArtifact.path| D["Task Execution"]
  B -->|fix applied| D
Loading

Grey Divider

File Changes

1. tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml 🐞 Bug fix +2/-0

Add sourceDataArtifact parameter to task configuration

• Added sourceDataArtifact parameter to task params section
• Parameter value references $(results.sourceDataArtifact.path) from previous task
• Resolves missing operand error in basename command execution

tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

Grey Divider

Qodo Logo

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Feb 17, 2026

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@arewm
fix: basename was missing when pushing a trusted artifact
728022f 
I encountered the error when trying to push a trusted artifact

```bash
 DDEBUG /usr/local/bin/create-archive.71: basename
  basename: missing operand
  Try 'basename --help' for more information.
  DEBUG /usr/local/bin/create-archive.71: artifact_name=
```

This was due to the fact that we were not properly setting the
sourceDataArtifact.

Signed-off-by: arewm <arewm@users.noreply.github.com>
@arewm arewm force-pushed the fix/ta-missing-basename branch from 8a8b30b to 728022f Compare February 17, 2026 19:32
@codecov
Copy link

codecov bot commented Feb 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 55.51% <ø> (ø)
generative 18.56% <ø> (ø)
integration 27.56% <ø> (ø)
unit 68.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@simonbaird
Copy link
Member

simonbaird commented Feb 17, 2026

Patch looks reasonable. I don't think I understand the motivation though. What/where is /usr/local/bin/create-archive ?

What is a sourceDataArtifact in this context, and what are you doing with the VSA content?

@simonbaird
Copy link
Member

simonbaird commented Feb 17, 2026

/ok-to-test

@simonbaird
Copy link
Member

simonbaird commented Feb 17, 2026

I found we do have some test coverage for this task in features/ta_task_validate_image.feature. That said, it looks like the ENABLE_VSA code path might be untested. Consider adding some extra scenarios to that feature so we have some coverage.

@simonbaird
Copy link
Member

simonbaird commented Feb 17, 2026
edited
Loading

What is a sourceDataArtifact in this context, and what are you doing with the VSA content?

I did some rftm, and I know what this is now. 😅 Is your plan to consume the VSA as a "trusted artifact" input in another task?

@arewm arewm marked this pull request as draft February 17, 2026 21:24
@arewm
Copy link
Contributor Author

arewm commented Feb 17, 2026

I am still working on some additional changes when testing locally. I moved this PR to draft until I finish working on it.

@simonbaird
Copy link
Member

simonbaird commented Feb 17, 2026

I did a sanity check on the bash, seems good:

$ echo "zocal@/foo/bar" | grep -oE 'local@[^ ]+' | sed 's/^local@//' | head -n1
# ..nothing

$ echo "local@/foo/bar" | grep -oE 'local@[^ ]+' | sed 's/^local@//' | head -n1
/foo/bar

simonbaird
simonbaird reviewed Feb 17, 2026
View reviewed changes
tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml Outdated
Copy link
Member

@simonbaird simonbaird Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤷

Suggested change
VSA_LOCAL_PATH=$(echo "$(params.VSA_UPLOAD)" | grep -oE 'local@[^ ]+' | sed 's/^local@//' | head -n1)
VSA_LOCAL_PATH=$(echo "$(params.VSA_UPLOAD)" | grep -oE '^local@[^ ]+' | sed 's/^local@//' | head -n1)

@arewm
fix: VSA output path and trailing newlines in task results
17339a9 
Three fixes for the verify-conforma-konflux-ta task:

1. Write VSA output to /tmp/vsa-output then copy to workdir. The ec
   CLI requires --attestation-output-dir to be under /tmp or cwd, so
   writing directly to /var/workdir/vsa was silently rejected.

2. Use echo -n for VSA_GENERATED result to avoid trailing newlines
   that break Tekton When Expression matching in downstream tasks.

3. Only pass --vsa-upload for dsse format since the local backend
   requires a signing key.

Assisted-by: Claude Code (Opus 4.6)
@arewm arewm changed the title fix: basename was missing when pushing a trusted artifact fix: VSA generation issues in verify-conforma-konflux-ta task Feb 17, 2026
arewm added a commit to arewm/slsa-konflux-example that referenced this pull request Feb 18, 2026
@arewm
fix: Verify-conforma task VSA generation and trusted artifact support
95a6e0e 
The upstream verify-conforma-konflux-ta task had several issues when
VSA generation is enabled. This local copy fixes them while an
upstream PR (conforma/cli#3118) is pending.

The ec CLI requires --attestation-output-dir to be under /tmp or cwd,
so VSA output is written to /tmp/vsa-output then copied to the workdir
for trusted artifact archival. Results use echo -n to avoid trailing
newlines that broke Tekton When Expression matching downstream. The
--vsa-upload flag is only passed for dsse format since the local
backend requires a signing key. The conforma JSON report is included
in the trusted artifact for downstream SLSA VSA generation.

The taskRef is hardcoded to this repo to bypass the ec-defaults
ConfigMap injection (see konflux-ci/konflux-ci#5375).

Assisted-by: Claude Code (Opus 4.6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonbaird simonbaird simonbaird left review comments

Assignees

No one assigned

Labels

size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arewm @simonbaird

Comments