.github/actions/install-tkn/action.yaml

@@ -0,0 +1,12 @@
+# yamllint disable-file
+---
+name: Install tkn
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        curl -LO "https://github.com/tektoncd/cli/releases/download/v${TKN_CLI_VERSION}/tektoncd-cli-${TKN_CLI_VERSION}_Linux-64bit.deb"
+        sudo dpkg -i ./tektoncd-cli-${TKN_CLI_VERSION}_Linux-64bit.deb
+      shell: bash
+      env:
+        TKN_CLI_VERSION: 0.38.1

.github/pull_request_template.md

@@ -0,0 +1,4 @@
+# Before you complete this pull request ...
+
+Look for any open pull requests in the repository with the title "e2e-tests update" and 
+see if there are recent e2e-tests updates that will be applicable to your change.

.github/resources/workspace-template.yaml

@@ -0,0 +1,7 @@
+---
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Mi

.github/scripts/test_tekton_tasks.sh

@@ -0,0 +1,187 @@
+#!/bin/bash
+
+set -e
+# This script will run task tests for all task directories
+# provided either via TEST_ITEMS env var, or as arguments
+# when running the script.
+#
+# Requirements:
+# - Connection to a running k8s cluster (e.g. kind)
+# - upstream konflux-ci installed on the cluster ( Follow steps from: https://github.com/konflux-ci/konflux-ci?tab=readme-ov-file#bootstrapping-the-cluster)
+# - tkn installed
+#
+# Examples of usage:
+# export TEST_ITEMS="task/git-clone/0.1 some/other/dir"
+# ./test_tekton_tasks.sh
+#
+# or
+#
+# ./test_tekton_tasks.sh task/git-clone/0.1 some/other/dir
+
+# Define a custom kubectl path if you like
+KUBECTL_CMD=${KUBECTL_CMD:-kubectl}
+
+# yield empty strings for unmatched patterns
+shopt -s nullglob
+
+WORKSPACE_TEMPLATE=${BASH_SOURCE%/*/*}/resources/workspace-template.yaml
+
+if [[ -z $@ || ${1} == "-h" ]]; then
+    cat <<EOF
+Error: No task directories.
+
+Usage:
+
+$0 [item1] [item2] [...]
+
+Example: ./.github/scripts/test_tekton_tasks.sh task/git-clone/0.1
+
+or
+
+export TEST_ITEMS="item1 item2 ..."
+
+$0
+
+Items can be task directories including version or paths to task test yaml files (useful when working on a single test)
+EOF
+  exit 1
+fi
+
+if [ $# -gt 0 ]; then
+  TEST_ITEMS=$@
+fi
+
+# Check that all directories or test yamls exist. If not, fail
+for ITEM in $TEST_ITEMS; do
+  if [[ "$ITEM" == *tests/test-*.yaml && -f "$ITEM" ]]; then
+    true
+  elif [[ -d "$ITEM" ]]; then
+    true
+  else
+    echo "Error: Invalid test yaml file or task directory: $ITEM"
+    exit 1
+  fi
+done
+
+for ITEM in $TEST_ITEMS; do
+  echo "Test item: $ITEM"
+  TASK_DIR=$(echo $ITEM | cut -d '/' -f -3)
+  TASK_NAME=$(echo $ITEM | cut -d '/' -f 2)
+  TASK_VERSION=$(echo $ITEM | cut -d '/' -f 3)
+  echo "DEBUG: Task name: $TASK_NAME"
+  echo "DEBUG: Task version: $TASK_VERSION"
+
+  TASK_VERSION_WITH_HYPHEN="$(echo $TASK_VERSION | tr '.' '-')"
+  TEST_NS="${TASK_NAME}-${TASK_VERSION_WITH_HYPHEN}"
+
+  TASK_PATH=${TASK_DIR}/${TASK_NAME}.yaml
+  # check if task file exists or not
+  if [ ! -f $TASK_PATH ]; then
+    echo "ERROR: Task file does not exist: $TASK_PATH"
+    exit 1
+  fi
+
+  # Check if tests dir exists under task dir
+  TESTS_DIR=${TASK_DIR}/tests
+  if [ ! -d $TESTS_DIR ]; then
+    echo "ERROR: tests dir does not exist: $TESTS_DIR"
+    exit 1
+  fi
+
+  # check if tests yamls exists
+  if [[ "$ITEM" == *tests/test-*.yaml ]]; then
+    TEST_PATHS=($ITEM)
+  else
+    TEST_PATHS=($TESTS_DIR/test-*.yaml)
+  fi
+  if [ ${#TEST_PATHS[@]} -eq 0 ]; then
+    echo "WARNING: No tests for test item $ITEM ... Skipping..."
+    continue
+  fi
+
+  # Use a copy of the task file to prevent modifying the original task file
+  TASK_COPY=$(mktemp /tmp/task.XXXXXX)
+  clean() { rm -f ${TASK_COPY}; }
+  trap clean EXIT
+
+  cp "$TASK_PATH" "$TASK_COPY"
+
+  # run the pre-apply-task-hook.sh if exists
+  if [ -f ${TESTS_DIR}/pre-apply-task-hook.sh ]
+  then
+    echo "Found pre-apply-task-hook.sh file in dir: $TESTS_DIR. Executing..."
+    ${TESTS_DIR}/pre-apply-task-hook.sh "$TASK_COPY"
+  fi
+
+  # Create test namespace
+  ${KUBECTL_CMD} create namespace ${TEST_NS}
+
+  # Create the service account appstudio-pipeline (konflux spedific requirement)
+  $KUBECTL_CMD create sa appstudio-pipeline -n ${TEST_NS}
+
+  # dry-run this YAML to validate and also get formatting side-effects.
+  ${KUBECTL_CMD} -n ${TEST_NS} create -f ${TASK_COPY} --dry-run=client -o yaml
+
+  echo "INFO: Installing task"
+  ${KUBECTL_CMD} apply -f "$TASK_COPY" -n "$TEST_NS"
+
+  for TEST_PATH in ${TEST_PATHS[@]}; do
+    echo "========== Starting Test Pipeline: $TEST_PATH =========="
+    echo "INFO: Installing test pipeline: $TEST_PATH"
+    ${KUBECTL_CMD} -n ${TEST_NS} apply -f $TEST_PATH
+    TEST_NAME=$(yq '.metadata.name' $TEST_PATH)
+
+    # Sometimes the pipeline is not available immediately
+    while ! ${KUBECTL_CMD} -n ${TEST_NS} get pipeline $TEST_NAME > /dev/null 2>&1; do
+      echo "DEBUG: Pipeline $TEST_NAME not ready. Waiting 5s..."
+      sleep 5
+    done
+
+    PIPELINERUN=$(tkn p start $TEST_NAME -n ${TEST_NS} -w name=tests-workspace,volumeClaimTemplateFile=$WORKSPACE_TEMPLATE  -o json | jq -r '.metadata.name')
+    echo "INFO: Started pipelinerun: $PIPELINERUN"
+    sleep 1  # allow a second for the prun object to appear (including a status condition)
+    while [ "$(${KUBECTL_CMD} get pr $PIPELINERUN -n ${TEST_NS} -o=jsonpath='{.status.conditions[0].status}')" == "Unknown" ]; do
+      echo "DEBUG: PipelineRun $PIPELINERUN is in progress (status Unknown). Waiting for update..."
+      sleep 5
+    done
+    tkn pr logs $PIPELINERUN -n ${TEST_NS}
+
+    PR_STATUS=$(${KUBECTL_CMD} get pr $PIPELINERUN -n ${TEST_NS} -o=jsonpath='{.status.conditions[0].status}')
+
+    ASSERT_TASK_FAILURE=$(yq '.metadata.annotations.test/assert-task-failure' < $TEST_PATH)
+    if [ "$ASSERT_TASK_FAILURE" != "null" ]; then
+      if [ "$PR_STATUS" == "True" ]; then
+        echo "INFO: Pipeline $TEST_NAME is succeeded but was expected to fail"
+        exit 1
+      else
+        echo "DEBUG: Pipeline $TEST_NAME failed (expected). Checking that it failed in task ${ASSERT_TASK_FAILURE}..."
+
+        # Check that the pipelinerun failed on the tested task and not somewhere else
+        TASKRUN=$(${KUBECTL_CMD} get pr $PIPELINERUN -n ${TEST_NS} -o json|jq -r ".status.childReferences[] | select(.pipelineTaskName == \"${ASSERT_TASK_FAILURE}\") | .name")
+        if [ -z "$TASKRUN" ]; then
+          echo "ERROR: Unable to find task $ASSERT_TASK_FAILURE in childReferences of pipelinerun $PIPELINERUN. Pipelinerun failed earlier?"
+          exit 1
+        else
+          echo "DEBUG: Found taskrun $TASKRUN"
+        fi
+        if [ $(${KUBECTL_CMD} get tr $TASKRUN -n ${TEST_NS} -o=jsonpath='{.status.conditions[0].status}') != "False" ]; then
+          echo "ERROR: Taskrun did not fail - pipelinerun failed later on?"
+          exit 1
+        else
+          echo "INFO: Taskrun failed as expected"
+        fi
+
+      fi
+    else
+      if [ "$PR_STATUS" == "True" ]; then
+        echo "INFO: Pipelinerun $TEST_NAME succeeded"
+      else
+        echo "ERROR: Pipelinerun $TEST_NAME failed"
+        exit 1
+      fi
+    fi
+
+    echo "========== Completed: $TEST_PATH =========="
+  done
+
+done

.github/workflows/check-buildah-remote.yaml

@@ -0,0 +1,25 @@
+name: Validate PR - buildah-remote
+'on':
+  pull_request:
+    branches: [main]
+jobs:
+  go:
+    name: Check Buildah Remote
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683   # v4
+      - name: Install Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34   # v5
+        with:
+          go-version-file: './task-generator/remote/go.mod'
+      - name: Check buildah remote
+        run: |
+          ./hack/generate-buildah-remote.sh
+          if [[ ! -z $(git status -s) ]]
+          then
+            echo "buildah-remote is not up to date, run ./hack/generate-buildah-remote.sh"
+            echo "Or run ./hack/generate-everything.sh to run all the generators at once."
+            git status -s
+            git --no-pager diff
+            exit 1
+          fi

.github/workflows/check-kustomize-build.yaml

@@ -0,0 +1,20 @@
+name: Validate PR - kustomize manifests
+'on':
+  pull_request:
+    branches: [main]
+jobs:
+  kustomize-build:
+    name: Check Kustomize Build of Task and Pipelines
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Install oc
+        run: |
+          set -euo pipefail
+          url=https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.17/openshift-client-linux.tar.gz
+          if ! which oc; then
+            curl --fail --no-progress-meter -L "$url" | gzip -cd | sudo -- tar -x -C /usr/bin oc
+          fi
+      - name: Validate Manifests
+        run: hack/verify-manifests.sh

.github/workflows/check-readmes.yaml

@@ -0,0 +1,33 @@
+name: Validate PR - check READMEs
+'on':
+  pull_request:
+    branches: [main]
+jobs:
+  check:
+    name: Check READMEs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Install oc
+        run: |
+          set -euo pipefail
+          url=https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.17/openshift-client-linux.tar.gz
+          if ! which oc; then
+            curl --fail --no-progress-meter -L "$url" | gzip -cd | sudo -- tar -x -C /usr/bin oc
+          fi
+
+      - name: Check pipeline READMEs
+        run: |
+          #!/bin/bash
+          set -e
+
+          ./hack/generate-pipelines-readme.py
+          if [[ -n $(git status -s) ]]
+          then
+            echo "pipeline READMEs are not up to date, run ./hack/generate-pipelines-readme.py and commit the resulting changes"
+            echo "Or run ./hack/generate-everything.sh to run all the generators at once."
+            git status -s
+            exit 1
+          fi

.github/workflows/check-ta.yaml

@@ -0,0 +1,23 @@
+name: Validate PR - Trusted Artifact variants
+'on':
+  pull_request:
+    branches: [main]
+jobs:
+  go:
+    name: Check Trusted Artifact variants
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Check Trusted Artifact variants
+        id: check
+        run: hack/generate-ta-tasks.sh
+      - name: Check missing Trusted Artifact variants
+        id: missing
+        run: hack/missing-ta-tasks.sh
+      - name: Attach patch
+        if: ${{ always() && steps.check.conclusion == 'failure' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: Trusted artifacts patch
+          path: ./ta.patch

.github/workflows/check-task-migration.yaml

@@ -0,0 +1,28 @@
+name: Check task migrations
+"on":
+  pull_request:
+    branches: [main]
+jobs:
+  check:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.12.0
+        with:
+          cluster_name: kind
+      - uses: tektoncd/actions/setup-tektoncd@main
+        with:
+          pipeline_version: latest
+      - name: Run check
+        run: |
+          kubectl get all -n tekton-pipelines
+          # Require name main
+          git branch main origin/main
+          # Make `git branch --show-current` works.
+          git checkout -b pr-verify
+          export IN_CLUSTER=1
+          bash -x ./hack/validate-migration.sh

.github/workflows/check-task-owners.yaml

@@ -0,0 +1,35 @@
+name: Validate PR - check task owners
+'on':
+  pull_request:
+    branches: [main]
+jobs:
+  check:
+    name: Check Task OWNERS
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Check task owners
+        run: |
+          ./hack/check-task-owners.sh
+
+      - name: Check renovate.json groups
+        run: |
+          #!/bin/bash
+          set -euo pipefail
+
+          renovate_content=$(cat renovate.json)
+          ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json
+
+          uptodate=$(jq --argjson previous "$renovate_content" '$previous == .' renovate.json)
+          echo "renovate.json is up to date: $uptodate"
+
+          if [[ $uptodate == false ]]; then
+              echo
+              git --no-pager diff -- renovate.json
+              echo
+              echo "To apply the updates, run: ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json"
+              echo "Or run ./hack/generate-everything.sh to run all the generators at once."
+              exit 1
+          fi