Skip to content

Migrate PCO FBC pipelines to release-branch triggers#328

Merged
osmman merged 1 commit into
mainfrom
pco-fbc-migration-SECURESIGN-4332
Jun 18, 2026
Merged

Migrate PCO FBC pipelines to release-branch triggers#328
osmman merged 1 commit into
mainfrom
pco-fbc-migration-SECURESIGN-4332

Conversation

@osmman

@osmman osmman commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Replace PCO push+PR pipelines with push-only, release-branch triggers (matching RHTAS pattern)
  • Drop v4.15, add v4.22 pipeline
  • Add policy-controller-operator to catalog sync workflow
  • Single application label (pco-fbc) across all versions

Companion PR: securesign/pipelines#519

SECURESIGN-4332

🤖 Generated with Claude Code

@osmman @claude
Migrate PCO FBC pipelines to release-branch triggers
38eca86 
- Replace push+PR pipelines with push-only, release-branch triggers
- Drop v4.15, add v4.22
- Add policy-controller-operator to catalog sync workflow
- Single application label (pco-fbc) across all versions

SECURESIGN-4332

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@osmman osmman requested review from JasonPowr and tommyd450 June 18, 2026 10:49
@qodo-for-securesign

qodo-for-securesign Bot commented Jun 18, 2026

Copy link
Copy Markdown

Code Review by Qodo

Grey Divider

Sorry, something went wrong

We weren't able to complete the code review on our side. Please try again

Grey Divider

Qodo Logo

@qodo-for-securesign

qodo-for-securesign Bot commented Jun 18, 2026

Copy link
Copy Markdown

PR Summary by Qodo

Migrate PCO FBC pipelines to release-branch push triggers
⚙️ Configuration changes ✨ Enhancement 🕐 20-40 Minutes

Grey Divider

Description 

• Switch PCO FBC PipelineRuns to push-only triggers on release-* branches.
• Remove per-version pull-request PipelineRuns to match the RHTAS trigger pattern.
• Update supported catalog sync packages and add a new v4.22 PCO FBC pipeline.
Diagram 

graph TD
  A["Git push (release-*)"] --> B["Pipelines-as-Code (CEL)"] --> C["PCO FBC PipelineRuns (v4.16-4.22)"] --> D["fbc-builder pipeline"] --> E[("Quay images")]
  F["GitHub Action: sync-catalog"] --> G["Catalog sync (supported packages)"]
  G --> E
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Keep PR-triggered PipelineRuns alongside release push triggers
  • ➕ Provides pre-merge validation for catalog/Dockerfile changes
  • ➕ Catches breakage before it lands on release branches
  • ➖ Higher CI load and more PipelineRun noise
  • ➖ Conflicts with the stated goal to match the push-only RHTAS pattern
2. Generate per-version Tekton YAML from a template (kustomize/helm/make)
  • ➕ Reduces duplicated trigger logic across versions
  • ➕ Lowers risk of drift between v4.xx pipeline definitions
  • ➖ Adds a generation step and contributor overhead
  • ➖ Requires enforcing generated output consistency in CI

Recommendation: The PR's approach (push-only triggers on release-* and a single application label) is appropriate if the goal is consistency with existing RHTAS pipelines and reduced CI churn. If pre-merge validation is still desired, consider adding a lightweight lint/validation job (or periodic canary build) rather than restoring full PR-triggered PipelineRuns.

Files changed (8) +43 / -36

Enhancement (1) +12 / -9
pco-fbc-v4-22-push.yamlAdd v4.22 FBC push pipeline and remove v4.15 references +12/-9

Add v4.22 FBC push pipeline and remove v4.15 references

• Retargets the pipeline definition to v4.22 (name, component, path-context, output image, service account) and adds ocp-release-version=v4.22. Updates the CEL trigger to release-* push events with v4.22 path changes.

.tekton/pco-fbc-v4-22-push.yaml

Other (7) +31 / -27
sync-catalog.yamlExpand catalog sync to include policy-controller-operator +1/-3

Expand catalog sync to include policy-controller-operator

• Updates SUPPORTED_PACKAGES to sync both rhtas-operator and policy-controller-operator. Removes the commented TODO block in favor of an explicit package list.

.github/workflows/sync-catalog.yaml

pco-fbc-v4-16-push.yamlTrigger v4.16 FBC builds on release-* pushes and unify app label +5/-4

Trigger v4.16 FBC builds on release-* pushes and unify app label

• Replaces main-branch push conditions with a CEL expression that triggers on push events to release-* branches when v4.16 content changes. Standardizes the application label to pco-fbc.

.tekton/pco-fbc-v4-16-push.yaml

pco-fbc-v4-17-push.yamlTrigger v4.17 FBC builds on release-* pushes and unify app label +5/-4

Trigger v4.17 FBC builds on release-* pushes and unify app label

• Updates Pipelines-as-Code CEL to run only on push events targeting release-* branches with v4.17 path/file changes. Sets appstudio.openshift.io/application to pco-fbc.

.tekton/pco-fbc-v4-17-push.yaml

pco-fbc-v4-18-push.yamlTrigger v4.18 FBC builds on release-* pushes and unify app label +5/-4

Trigger v4.18 FBC builds on release-* pushes and unify app label

• Moves from main-branch push triggers to release-* push triggers with corrected pathChanged patterns. Unifies the application label to pco-fbc.

.tekton/pco-fbc-v4-18-push.yaml

pco-fbc-v4-19-push.yamlTrigger v4.19 FBC builds on release-* pushes and unify app label +5/-4

Trigger v4.19 FBC builds on release-* pushes and unify app label

• Switches the CEL trigger to push-only on release-* branches and updates the watched paths to v4.19. Standardizes the application label to pco-fbc.

.tekton/pco-fbc-v4-19-push.yaml

pco-fbc-v4-20-push.yamlTrigger v4.20 FBC builds on release-* pushes and unify app label +5/-4

Trigger v4.20 FBC builds on release-* pushes and unify app label

• Updates Pipelines-as-Code CEL to trigger on push events to release-* branches with v4.20-related changes. Sets a single application label (pco-fbc).

.tekton/pco-fbc-v4-20-push.yaml

pco-fbc-v4-21-push.yamlTrigger v4.21 FBC builds on release-* pushes and unify app label +5/-4

Trigger v4.21 FBC builds on release-* pushes and unify app label

• Replaces main push trigger logic with release-* push-only CEL evaluation and corrects the watched v4.21 paths. Standardizes application labeling to pco-fbc.

.tekton/pco-fbc-v4-21-push.yaml

@osmman osmman merged commit e482009 into main Jun 18, 2026
@osmman osmman deleted the pco-fbc-migration-SECURESIGN-4332 branch June 18, 2026 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tommyd450 tommyd450 tommyd450 approved these changes
@JasonPowr JasonPowr Awaiting requested review from JasonPowr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@osmman @tommyd450