Restore arm64 builds for ocm-container-micro; add CI guardrails

[clcollins]

Summary

• Revert ocm-container-micro pipeline files from bot-generated embedded pipelineSpec back to lightweight pipelineRef style (restoring Kirk Bater's original design from PR updates tekton builds for all targets #461)
• Re-enable linux/arm64 in micro's build-platforms (matching minimal and full)
• Add CI guardrail script (.ci/validate-tekton-pipelines.sh) that fails if any PipelineRun file has its pipelineRef replaced with an embedded pipelineSpec or if linux/arm64 is removed from build-platforms

Background

On 2026-03-12, the Konflux bot (red-hat-konflux-kflux-prd-rh03) silently replaced micro's pipelineRef with a 626-line embedded pipelineSpec in PR #488 (commit a8458a1), stripping arm64 support. The PR was auto-merged in 2 seconds with no human review. The bot had also previously nudged minimal and full, but Kirk reverted those within hours — micro's nudge was never reverted.

See investigation details on ROSAENG-3945.

Changes

File	Change
.tekton/ocm-container-micro-push.yaml	626 lines → 49 lines (pipelineSpec → pipelineRef + arm64)
.tekton/ocm-container-micro-pull-request.yaml	629 lines → 53 lines (same)
.ci/validate-tekton-pipelines.sh	New guardrail script
Makefile	Added validate-tekton target, wired into pr-check

Test plan

• Konflux PR pipeline builds micro for both amd64 and arm64
• make validate-tekton passes
• After merge: podman manifest inspect quay.io/redhat-services-prod/openshift/ocm-container-micro:latest shows both architectures

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD pipeline validation to ensure configuration consistency
  • Extended build support to include ARM64 architecture alongside x86_64

[coderabbitai]

Walkthrough

This PR introduces a Tekton pipeline validation script that enforces two rules across PipelineRun files: use of pipelineRef instead of embedded pipelineSpec, and inclusion of linux/arm64 in build-platforms. Two existing PipelineRun manifests are refactored to conform to these rules, replacing embedded pipeline definitions with references and expanding their build configuration. CI integration is added to run the validation step before image builds.

Changes

Tekton PipelineRun Validation and Refactoring

Layer / File(s)	Summary
Tekton pipeline validation script .ci/validate-tekton-pipelines.sh	New bash validation script defines and enforces two invariants: PipelineRun files must use pipelineRef instead of embedded pipelineSpec, and must include linux/arm64 in build-platforms. Script locates .tekton/ directory, iterates a predefined set of PipelineRun files, runs validation functions on each file, accumulates errors, and exits non-zero with remediation guidance if violations are found.
PipelineRun refactoring to pipelineRef pattern .tekton/ocm-container-micro-pull-request.yaml, .tekton/ocm-container-micro-push.yaml	Both PipelineRun files are refactored in parallel to conform to the validation rules. Trigger conditions are extended with pathChanged() checks for relevant files, large embedded pipelineSpec blocks are removed and replaced with pipelineRef: pull-request-build-image, build-platforms is expanded to include both linux/x86_64 and linux/arm64, and build parameters are made explicit (target, dockerfile, output-image, git-url, revision).
CI validation target integration Makefile	New phony target validate-tekton is added to invoke the validation script with status messaging, .PHONY declarations are extended, and pr-check is updated to depend on validate-tekton before check-image-build, ensuring Tekton pipeline validation runs early in the CI pipeline.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

approved, lgtm

Suggested reviewers

• smarthall
• tkong-redhat

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main objectives: restoring arm64 builds for ocm-container-micro and adding CI guardrails, both of which are central to this changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR #534 changes only Makefile + Tekton YAML + a bash CI script; searched these files for Ginkgo keywords (Describe/It/Context/When/etc.) and found none, so no Ginkgo test titles were modified.
Test Structure And Quality	✅ Passed	PR #534 only changes .ci script, Tekton YAMLs, and Makefile; no Ginkgo/_test.go files are modified to review per requirements.
Microshift Test Compatibility	✅ Passed	PR changes only .ci validate script, Tekton YAML, and Makefile; none contain Ginkgo constructs (g.It/Describe/Context/When) or MicroShift runtime guards to evaluate.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR #534 only changes .ci/validate-tekton-pipelines.sh, two .tekton PipelineRun YAMLs, and the Makefile; no new Ginkgo e2e tests were added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates CI bash guardrail, Tekton PipelineRun YAMLs, and Makefile; no deployment/operator/controller scheduling constraints (affinity/topologySpread/maxUnavailable/node-role labels) were in...
Ote Binary Stdout Contract	✅ Passed	Scanned Go sources for fmt.Print/os.Stdout/klog stdout writes in main/init/TestMain/BeforeSuite/RunSpecs setup; none found. PR only modifies CI script/Tekton YAML/Makefile.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR #534 only updates Tekton PipelineRun YAMLs, a Makefile target, and a bash CI guardrail script—no new Ginkgo e2e tests are added to flag for IPv4/disconnected-net issues.
No-Weak-Crypto	✅ Passed	Checked PR-touched files (.ci/validate-tekton-pipelines.sh, both micro PipelineRuns, Makefile) for MD5/SHA1/DES/RC4/3DES/Blowfish/ECB and found none; no custom/non-constant-time crypto present.
Container-Privileges	✅ Passed	Search of repo manifests found no privileged=true/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation/runAsUser:0 (only 'privileged:' in pkg/engine/engine_test.go).
No-Sensitive-Data-In-Logs	✅ Passed	New .ci/validate-tekton-pipelines.sh only echoes fixed messages + filenames (no secret/token values). Makefile validate-tekton just runs the script; other token logging doesn’t print token contents.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.ci/validate-tekton-pipelines.sh:
- Around line 13-20: The script defines an explicit allowlist PIPELINERUN_FILES
but currently only emits a warning and returns when a tracked PipelineRun file
is missing; change those early-return warning branches to fail the script with a
non-zero exit (use echo to STDERR and exit 1) so a missing or renamed entry
fails CI; update the two validation spots that currently "warn and return" (the
checks that iterate PIPELINERUN_FILES and the duplicate/coverage check) to emit
a clear error message and exit 1 instead of returning success.

In `@Makefile`:
- Around line 366-372: The global toolchain pre-checks are being evaluated
before Make selects targets, so running the new validate-tekton target still
fails on machines without go/podman/docker; update the Makefile so those checks
are only run for build/image targets by either moving the toolchain checks into
the build-only prerequisites (e.g., tie them to check-image-build/pr-check) or
guard their execution with a MAKECMDGOALS conditional that skips them when
MAKECMDGOALS contains validate-tekton, and ensure the validate-tekton target
(and pr-check if intended) can run standalone without triggering the global
checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c22da03e-f832-40b8-9740-e3cb44599aef

📥 Commits

Reviewing files that changed from the base of the PR and between c1af67e and 75e5c26.

📒 Files selected for processing (4)

• .ci/validate-tekton-pipelines.sh
• .tekton/ocm-container-micro-pull-request.yaml
• .tekton/ocm-container-micro-push.yaml
• Makefile

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail when a tracked PipelineRun file is missing.

Line 26 and Line 59 only warn and return. Since PIPELINERUN_FILES is an explicit allowlist, renaming or deleting one of those manifests bypasses both validations and still leaves this guardrail green. Missing entries should count as validation failures so coverage cannot be silently dropped.

🛠️ Proposed fix

+check_file_exists() {
+  local file="$1"
+  local filepath="${TEKTON_DIR}/${file}"
+
+  if [ ! -f "${filepath}" ]; then
+    echo "FAILURE: ${file} not found"
+    ERRORS=$((ERRORS + 1))
+    return 1
+  fi
+}
+
 check_no_embedded_pipelinespec() {
   local file="$1"
   local filepath="${TEKTON_DIR}/${file}"
 
-  if [ ! -f "${filepath}" ]; then
-    echo "WARNING: ${file} not found, skipping"
-    return
-  fi
+  check_file_exists "${file}" || return
 
   if grep -q "pipelineSpec:" "${filepath}"; then
@@
 check_arm64_in_build_platforms() {
   local file="$1"
   local filepath="${TEKTON_DIR}/${file}"
 
-  if [ ! -f "${filepath}" ]; then
-    echo "WARNING: ${file} not found, skipping"
-    return
-  fi
+  check_file_exists "${file}" || return
 
   if ! grep -q "linux/arm64" "${filepath}"; then

Also applies to: 26-29, 59-62

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.ci/validate-tekton-pipelines.sh around lines 13 - 20, The script defines an
explicit allowlist PIPELINERUN_FILES but currently only emits a warning and
returns when a tracked PipelineRun file is missing; change those early-return
warning branches to fail the script with a non-zero exit (use echo to STDERR and
exit 1) so a missing or renamed entry fails CI; update the two validation spots
that currently "warn and return" (the checks that iterate PIPELINERUN_FILES and
the duplicate/coverage check) to emit a clear error message and exit 1 instead
of returning success.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

validate-tekton is not actually standalone yet.

Line 370 adds a lightweight validation target, but Make still evaluates the global toolchain checks at Lines 5-14 before target selection. On any runner without go or podman/docker, make validate-tekton aborts before this script runs, which defeats the new guardrail’s intended standalone check. Please move those checks behind build-only prereqs or gate them by MAKECMDGOALS.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 366 - 372, The global toolchain pre-checks are being
evaluated before Make selects targets, so running the new validate-tekton target
still fails on machines without go/podman/docker; update the Makefile so those
checks are only run for build/image targets by either moving the toolchain
checks into the build-only prerequisites (e.g., tie them to
check-image-build/pr-check) or guard their execution with a MAKECMDGOALS
conditional that skips them when MAKECMDGOALS contains validate-tekton, and
ensure the validate-tekton target (and pr-check if intended) can run standalone
without triggering the global checks.

[iamkirkbater]

/lgtm

Good catch!

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clcollins, iamkirkbater

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [clcollins,iamkirkbater]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment