From 67e4acb5b1ef94139ffb305a54e1e4cbe5ed7f3e Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 16 Aug 2024 12:49:05 +0200
Subject: [PATCH 01/18] DO NOT MERGE: temporarily disable all other builds

to iterate quickly and not cause too many Konflux builds
---
 .tekton/central-db-build.yaml      | 3 +--
 .tekton/main-build.yaml            | 3 +--
 .tekton/operator-build.yaml        | 3 +--
 .tekton/operator-bundle-build.yaml | 3 +--
 .tekton/roxctl-build.yaml          | 3 +--
 .tekton/scanner-v4-build.yaml      | 3 +--
 .tekton/scanner-v4-db-build.yaml   | 3 +--
 7 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/.tekton/central-db-build.yaml b/.tekton/central-db-build.yaml
index 4059ebf4a1c6f..f166d43e9a300 100644
--- a/.tekton/central-db-build.yaml
+++ b/.tekton/central-db-build.yaml
@@ -10,8 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
-      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+      (event == "push" && target_branch.matches("^(master|release-.*)$"))
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: central-db
diff --git a/.tekton/main-build.yaml b/.tekton/main-build.yaml
index c9144bdf1d845..db29d3799c43f 100644
--- a/.tekton/main-build.yaml
+++ b/.tekton/main-build.yaml
@@ -10,8 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
-      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+      (event == "push" && target_branch.matches("^(master|release-.*)$"))
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: main
diff --git a/.tekton/operator-build.yaml b/.tekton/operator-build.yaml
index 94e6d52b359f7..1130d1c3dcf9c 100644
--- a/.tekton/operator-build.yaml
+++ b/.tekton/operator-build.yaml
@@ -10,8 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
-      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+      (event == "push" && target_branch.matches("^(master|release-.*)$"))
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: operator
diff --git a/.tekton/operator-bundle-build.yaml b/.tekton/operator-bundle-build.yaml
index 3d86396acbe77..4157ee9878be5 100644
--- a/.tekton/operator-bundle-build.yaml
+++ b/.tekton/operator-bundle-build.yaml
@@ -10,8 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
-      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+      (event == "push" && target_branch.matches("^(master|release-.*)$"))
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: operator-bundle
diff --git a/.tekton/roxctl-build.yaml b/.tekton/roxctl-build.yaml
index 122a0175e5b59..543685f5136a1 100644
--- a/.tekton/roxctl-build.yaml
+++ b/.tekton/roxctl-build.yaml
@@ -10,8 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
-      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+      (event == "push" && target_branch.matches("^(master|release-.*)$"))
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: roxctl
diff --git a/.tekton/scanner-v4-build.yaml b/.tekton/scanner-v4-build.yaml
index 3055d56f39aec..e51b548e02379 100644
--- a/.tekton/scanner-v4-build.yaml
+++ b/.tekton/scanner-v4-build.yaml
@@ -10,8 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
-      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+      (event == "push" && target_branch.matches("^(master|release-.*)$"))
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: scanner-v4
diff --git a/.tekton/scanner-v4-db-build.yaml b/.tekton/scanner-v4-db-build.yaml
index a5fb7db18ebbe..a1b0e0db13d50 100644
--- a/.tekton/scanner-v4-db-build.yaml
+++ b/.tekton/scanner-v4-db-build.yaml
@@ -10,8 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
-      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+      (event == "push" && target_branch.matches("^(master|release-.*)$"))
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: scanner-v4-db

From 60914d6e2ceb0610665e6a9ba0fa910e6aabd734 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 16 Aug 2024 10:42:33 +0200
Subject: [PATCH 02/18] Prepare pipeline for retagging collector

as simply a copy of roxctl/basic-component pipeline.
Further changes will go on top of that.
---
 .tekton/collector-retag.yaml |  77 +++++
 .tekton/retag-pipeline.yaml  | 548 +++++++++++++++++++++++++++++++++++
 2 files changed, 625 insertions(+)
 create mode 100644 .tekton/collector-retag.yaml
 create mode 100644 .tekton/retag-pipeline.yaml

diff --git a/.tekton/collector-retag.yaml b/.tekton/collector-retag.yaml
new file mode 100644
index 0000000000000..122a0175e5b59
--- /dev/null
+++ b/.tekton/collector-retag.yaml
@@ -0,0 +1,77 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "500"
+    # TODO(ROX-21073): re-enable for all PR branches
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
+      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+  labels:
+    appstudio.openshift.io/application: acs
+    appstudio.openshift.io/component: roxctl
+    pipelines.appstudio.openshift.io/type: build
+  name: roxctl-build
+  namespace: rh-acs-tenant
+
+spec:
+
+  params:
+  - name: dockerfile
+    value: image/roxctl/konflux.Dockerfile
+  - name: git-url
+    value: '{{repo_url}}'
+  - name: image-expires-after
+    # TODO(ROX-24530): return expiration for non-released images to 13w
+    value: '52w'
+  - name: output-image-repo
+    value: quay.io/rhacs-eng/roxctl
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  - name: rebuild
+    value: 'true'
+  # TODO(ROX-20234): Enable hermetic builds
+  # - name: hermetic
+  #   value: 'true'
+  - name: prefetch-input
+    value: '{"type": "gomod", "path": "."}'
+  - name: build-source-image
+    value: 'true'
+  - name: clone-depth
+    value: '0'
+  - name: clone-fetch-tags
+    value: 'true'
+
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+
+  pipelineRef:
+    name: basic-component-pipeline
+
+  taskRunSpecs:
+  - pipelineTaskName: build-container-amd64
+    stepSpecs:
+    - name: build
+      # CPU requests are increased to speed up builds compared to the defaults.
+      # Defaults: https://github.com/konflux-ci/build-definitions/blob/main/task/buildah/0.1/buildah.yaml#L147
+      computeResources:
+        limits:
+          cpu: 2
+        requests:
+          cpu: 2
+
+  timeouts:
+    # The tasks regularly takes 1h to finish.
+    tasks: 1h
+    # Reserve time for final tasks to run.
+    finally: 10m
+    pipeline: 1h10m
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
new file mode 100644
index 0000000000000..2dcad38ef7f4f
--- /dev/null
+++ b/.tekton/retag-pipeline.yaml
@@ -0,0 +1,548 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: basic-component-pipeline
+spec:
+
+  finally:
+  - name: slack-notification
+    params:
+    - name: message
+      value: ':x: `{{event_type}}` pipeline for <https://console.redhat.com/application-pipeline/workspaces/rh-acs/applications/acs/pipelineruns/$(context.pipelineRun.name)|$(context.pipelineRun.name)> (`$(params.output-image-repo)`, revision <$(params.git-url)/commit/$(params.revision)|$(params.revision)>) has failed.'
+    - name: key-name
+      value: 'acs-konflux-notifications'
+    when:
+    # Run when any task has Failed
+    - input: $(tasks.status)
+      operator: in
+      values: ["Failed"]
+    taskRef:
+      params:
+      - name: name
+        value: slack-webhook-notification
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-slack-webhook-notification:0.1@sha256:0dfdfd87a8716ff9c20ae3325eff9a5d52ee9c708959c1e93eaedc852621a4d5
+      - name: kind
+        value: task
+      resolver: bundles
+
+  - name: show-sbom
+    params:
+    - name: IMAGE_URL
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
+    taskRef:
+      params:
+      - name: name
+        value: show-sbom
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b
+      - name: kind
+        value: task
+      resolver: bundles
+
+  params:
+  - description: Source Repository URL
+    name: git-url
+    type: string
+  - default: ""
+    description: Revision of the Source Repository
+    name: revision
+    type: string
+  - description: Output Image Repository
+    name: output-image-repo
+    type: string
+  - default: "-fast"
+    description: Suffix that will be appended to the output image tag.
+    name: output-tag-suffix
+    type: string
+  - default: .
+    description: Path to the source code of an application's component from where
+      to build image.
+    name: path-context
+    type: string
+  - default: Dockerfile
+    description: Path to the Dockerfile inside the context specified by parameter
+      path-context
+    name: dockerfile
+    type: string
+  - default: "false"
+    description: Force rebuild image
+    name: rebuild
+    type: string
+  - default: "false"
+    description: Skip checks against built image
+    name: skip-checks
+    type: string
+  - default: "false"
+    description: Execute the build with network isolation
+    name: hermetic
+    type: string
+  - default: ""
+    description: Build dependencies to be prefetched by Cachi2
+    name: prefetch-input
+    type: string
+  - default: "false"
+    description: Java build
+    name: java
+    type: string
+  - default: ""
+    description: Image tag expiration time, time values could be something like
+      1h, 2d, 3w for hours, days, and weeks, respectively.
+    name: image-expires-after
+    type: string
+  - default: "true"
+    description: Build a source image.
+    name: build-source-image
+    type: string
+  - default: "0"
+    description: Depth of the git clone in number of commits. Use "1" for shallow clone. Use "0" for deep clone, i.e. to fetch all commits.
+    name: clone-depth
+    type: string
+  - default: "true"
+    description: Fetch tags with git clone
+    name: clone-fetch-tags
+    type: string
+  - default: "1d"
+    description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after which they can be garbage collected.
+    name: oci-artifact-expires-after
+    type: string
+
+  results:
+  - description: ""
+    name: IMAGE_URL
+    value: $(tasks.build-image-manifest.results.IMAGE_URL)
+  - description: ""
+    name: IMAGE_DIGEST
+    value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
+  - description: ""
+    name: CHAINS-GIT_URL
+    value: $(tasks.clone-repository.results.url)
+  - description: ""
+    name: CHAINS-GIT_COMMIT
+    value: $(tasks.clone-repository.results.commit)
+  - description: ""
+    name: JAVA_COMMUNITY_DEPENDENCIES
+    value: $(tasks.build-container-amd64.results.JAVA_COMMUNITY_DEPENDENCIES)
+
+  workspaces:
+  - name: git-auth
+
+  tasks:
+
+  - name: init
+    params:
+    - name: image-url
+      # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.)
+      # As a workaround, we still provide a unique tag that's based on a revision to this task to comply with its
+      # expected input. We later actually add this tag on a built image with build-image-manifest-konflux task.
+      value: $(params.output-image-repo):konflux-$(params.revision)
+    - name: rebuild
+      value: $(params.rebuild)
+    - name: skip-checks
+      value: $(params.skip-checks)
+    taskRef:
+      params:
+      - name: name
+        value: init
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc
+      - name: kind
+        value: task
+      resolver: bundles
+
+  - name: clone-repository
+    params:
+    - name: url
+      value: $(params.git-url)
+    - name: revision
+      value: $(params.revision)
+    - name: depth
+      value: $(params.clone-depth)
+    - name: fetchTags
+      value: $(params.clone-fetch-tags)
+    - name: ociStorage
+      value: $(params.output-image-repo):konflux-$(params.revision).git
+    - name: ociArtifactExpiresAfter
+      value: $(params.oci-artifact-expires-after)
+    taskRef:
+      params:
+      - name: name
+        value: git-clone-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0f4360ce144d46171ebd2e8f4d4575539a0600e02208ba5fc9beeb2c27ddfd4c
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+    workspaces:
+    - name: basic-auth
+      workspace: git-auth
+
+  - name: determine-image-tag
+    params:
+    - name: TAG_SUFFIX
+      value: $(params.output-tag-suffix)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+    taskRef:
+      name: determine-image-tag
+
+  - name: prefetch-dependencies
+    params:
+    - name: input
+      value: $(params.prefetch-input)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+    - name: ociStorage
+      value: $(params.output-image-repo):konflux-$(params.revision).prefetch
+    - name: ociArtifactExpiresAfter
+      value: $(params.oci-artifact-expires-after)
+    taskRef:
+      params:
+      - name: name
+        value: prefetch-dependencies-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:f13f6783f73971e4d1fbe8fd7fde3ea6cc080943c3fe2a4338ce6373c43f26a7
+      - name: kind
+        value: task
+      resolver: bundles
+
+  - name: build-container-amd64
+    params:
+    - name: IMAGE
+      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-amd64
+    - name: DOCKERFILE
+      value: $(params.dockerfile)
+    - name: CONTEXT
+      value: $(params.path-context)
+    - name: HERMETIC
+      value: $(params.hermetic)
+    - name: PREFETCH_INPUT
+      value: $(params.prefetch-input)
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.image-expires-after)
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: BUILD_ARGS
+      value:
+      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
+      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: CACHI2_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+    taskRef:
+      params:
+      - name: name
+        value: buildah-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:f4c1b22c16dcc0356694ef37545ead51bce136807abd9bd71190d87c11629d96
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+
+  - name: build-container-s390x
+    params:
+    - name: IMAGE
+      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-s390x
+    - name: DOCKERFILE
+      value: $(params.dockerfile)
+    - name: CONTEXT
+      value: $(params.path-context)
+    - name: HERMETIC
+      value: $(params.hermetic)
+    - name: PREFETCH_INPUT
+      value: $(params.prefetch-input)
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.image-expires-after)
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: BUILD_ARGS
+      value:
+      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
+      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: CACHI2_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+    - name: PLATFORM
+      value: linux/s390x
+    taskRef:
+      params:
+      - name: name
+        value: buildah-remote-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:680521ecc2c984adb9e14d88ecdb6a24fa0bd6980283918e5e70d5c599336236
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+
+  - name: build-container-ppc64le
+    params:
+    - name: IMAGE
+      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-ppc64le
+    - name: DOCKERFILE
+      value: $(params.dockerfile)
+    - name: CONTEXT
+      value: $(params.path-context)
+    - name: HERMETIC
+      value: $(params.hermetic)
+    - name: PREFETCH_INPUT
+      value: $(params.prefetch-input)
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.image-expires-after)
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: BUILD_ARGS
+      value:
+      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
+      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: CACHI2_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+    - name: PLATFORM
+      value: linux/ppc64le
+    taskRef:
+      params:
+      - name: name
+        value: buildah-remote-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:680521ecc2c984adb9e14d88ecdb6a24fa0bd6980283918e5e70d5c599336236
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+
+  - name: build-container-arm64
+    params:
+    - name: IMAGE
+      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-arm64
+    - name: DOCKERFILE
+      value: $(params.dockerfile)
+    - name: CONTEXT
+      value: $(params.path-context)
+    - name: HERMETIC
+      value: $(params.hermetic)
+    - name: PREFETCH_INPUT
+      value: $(params.prefetch-input)
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.image-expires-after)
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: BUILD_ARGS
+      value:
+      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
+      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: CACHI2_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+    - name: PLATFORM
+      value: linux/arm64
+    taskRef:
+      params:
+      - name: name
+        value: buildah-remote-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:680521ecc2c984adb9e14d88ecdb6a24fa0bd6980283918e5e70d5c599336236
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+
+  - name: build-image-manifest
+    params:
+    - name: IMAGE
+      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: IMAGES
+      value:
+      - $(tasks.build-container-amd64.results.IMAGE_REF)
+      - $(tasks.build-container-s390x.results.IMAGE_REF)
+      - $(tasks.build-container-ppc64le.results.IMAGE_REF)
+      - $(tasks.build-container-arm64.results.IMAGE_REF)
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.image-expires-after)
+    taskRef:
+      params:
+      - name: name
+        value: build-image-manifest
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:51f3122b7a2b34c04f0b142d853a49b992d609527825e9c1fa2110a8e55d795d
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+
+  - name: build-image-manifest-konflux
+    params:
+    - name: IMAGE
+      value: $(params.output-image-repo):konflux-$(params.revision)
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: IMAGES
+      value:
+      - $(tasks.build-container-amd64.results.IMAGE_REF)
+      - $(tasks.build-container-s390x.results.IMAGE_REF)
+      - $(tasks.build-container-ppc64le.results.IMAGE_REF)
+      - $(tasks.build-container-arm64.results.IMAGE_REF)
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.image-expires-after)
+    taskRef:
+      params:
+      - name: name
+        value: build-image-manifest
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:51f3122b7a2b34c04f0b142d853a49b992d609527825e9c1fa2110a8e55d795d
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+
+  - name: build-source-image
+    params:
+    - name: BINARY_IMAGE
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: CACHI2_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+    taskRef:
+      params:
+      - name: name
+        value: source-build-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:99ee22c5e8e8a66da3d68ec5f3334e7cc59f8b8907e9d2a78f7338aa37d952eb
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
+    - input: $(params.build-source-image)
+      operator: in
+      values: [ "true" ]
+
+  - name: deprecated-base-image-check
+    params:
+    - name: IMAGE_URL
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
+    taskRef:
+      params:
+      - name: name
+        value: deprecated-image-check
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:d98fa9daf5ee12dfbf00880b83d092d01ce9994d79836548d2f82748bb0c64a2
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
+
+  - name: clair-scan
+    params:
+    - name: image-digest
+      value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
+    - name: image-url
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
+    taskRef:
+      params:
+      - name: name
+        value: clair-scan
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.1@sha256:baea4be429cf8d91f7c758378cea42819fe324f25a7f957bf9805409cab6d123
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
+
+  - name: sast-snyk-check
+    params:
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    taskRef:
+      params:
+      - name: name
+        value: sast-snyk-check-oci-ta
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:a5b18d0949240e2fc919277970fc1a9c4a0b13c4dec2bdf3ef579bc502a6f3d6
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
+
+  - name: clamav-scan
+    params:
+    - name: image-digest
+      value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
+    - name: image-url
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
+    taskRef:
+      params:
+      - name: name
+        value: clamav-scan
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:ea69f63ce7b25ebc39b817a5dd3f11e408518ac21e38baa54bd576a2e2f34b46
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
+
+  - name: sbom-json-check
+    params:
+    - name: IMAGE_URL
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
+    taskRef:
+      params:
+      - name: name
+        value: sbom-json-check
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:89b375e21613aa48a48bec8d61a166e07155e1282456c17dd794cd59933cdeaa
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]

From eca239f9db028120c52b7a0a6c9d969bf2bdbce7 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 16 Aug 2024 10:45:43 +0200
Subject: [PATCH 03/18] Adjust pipeline for retagging, with dummy Dockerfile

---
 .konflux/konflux.retag.Dockerfile |  3 +++
 .tekton/collector-retag.yaml      | 25 ++++++++-----------------
 .tekton/retag-pipeline.yaml       |  2 +-
 3 files changed, 12 insertions(+), 18 deletions(-)
 create mode 100644 .konflux/konflux.retag.Dockerfile

diff --git a/.konflux/konflux.retag.Dockerfile b/.konflux/konflux.retag.Dockerfile
new file mode 100644
index 0000000000000..5185e6b70c8e3
--- /dev/null
+++ b/.konflux/konflux.retag.Dockerfile
@@ -0,0 +1,3 @@
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+
+LABEL foo=bar
diff --git a/.tekton/collector-retag.yaml b/.tekton/collector-retag.yaml
index 122a0175e5b59..ccddc66dc2d75 100644
--- a/.tekton/collector-retag.yaml
+++ b/.tekton/collector-retag.yaml
@@ -14,34 +14,35 @@ metadata:
       (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
   labels:
     appstudio.openshift.io/application: acs
-    appstudio.openshift.io/component: roxctl
+    appstudio.openshift.io/component: collector
     pipelines.appstudio.openshift.io/type: build
-  name: roxctl-build
+  name: collector-full-retag
   namespace: rh-acs-tenant
 
 spec:
 
   params:
   - name: dockerfile
-    value: image/roxctl/konflux.Dockerfile
+    value: .konflux/konflux.retag.Dockerfile
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after
     # TODO(ROX-24530): return expiration for non-released images to 13w
     value: '52w'
   - name: output-image-repo
-    value: quay.io/rhacs-eng/roxctl
+    value: quay.io/rhacs-eng/collector
   - name: path-context
     value: .
   - name: revision
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  # TODO(ROX-20234): Enable hermetic builds
+  # TODO(ROX-24468): Enable hermetic builds for retagging
   # - name: hermetic
   #   value: 'true'
+  # No language dependencies are required for retagging builds.
   - name: prefetch-input
-    value: '{"type": "gomod", "path": "."}'
+    value: ''
   - name: build-source-image
     value: 'true'
   - name: clone-depth
@@ -55,19 +56,9 @@ spec:
       secretName: '{{ git_auth_secret }}'
 
   pipelineRef:
-    name: basic-component-pipeline
+    name: retag-pipeline
 
   taskRunSpecs:
-  - pipelineTaskName: build-container-amd64
-    stepSpecs:
-    - name: build
-      # CPU requests are increased to speed up builds compared to the defaults.
-      # Defaults: https://github.com/konflux-ci/build-definitions/blob/main/task/buildah/0.1/buildah.yaml#L147
-      computeResources:
-        limits:
-          cpu: 2
-        requests:
-          cpu: 2
 
   timeouts:
     # The tasks regularly takes 1h to finish.
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index 2dcad38ef7f4f..b56688d1ee3bb 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -1,7 +1,7 @@
 apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
-  name: basic-component-pipeline
+  name: retag-pipeline
 spec:
 
   finally:

From 3eb8b04072d8dc93fbfa5b67c9dc684c1de9932f Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 16 Aug 2024 12:33:57 +0200
Subject: [PATCH 04/18] Extend determine-image-tag task to get
 collector/scanner tags

---
 .tekton/determine-image-tag-task.yaml |  6 +++++-
 .tekton/retag-pipeline.yaml           | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.tekton/determine-image-tag-task.yaml b/.tekton/determine-image-tag-task.yaml
index 69d52c384c910..e22f7fb646507 100644
--- a/.tekton/determine-image-tag-task.yaml
+++ b/.tekton/determine-image-tag-task.yaml
@@ -19,6 +19,10 @@ spec:
     description: Directory in which to run 'make' command.
     type: string
     default: "."
+  - name: MAKEFILE_TARGET
+    description: Makefile target to run.
+    type: string
+    default: "tag"
   results:
   - name: IMAGE_TAG
     description: Image Tag determined by custom logic.
@@ -45,5 +49,5 @@ spec:
       dnf -y install git make
 
       .konflux/scripts/fail-build-if-git-is-dirty.sh
-      image_tag="$(make -C "$(params.MAKEFILE_DIRECTORY)" --quiet --no-print-directory tag)$(params.TAG_SUFFIX)"
+      image_tag="$(make -C "$(params.MAKEFILE_DIRECTORY)" --quiet --no-print-directory "$(params.MAKEFILE_TARGET)")$(params.TAG_SUFFIX)"
       echo -n "$image_tag" | tee "$(results.IMAGE_TAG.path)"
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index b56688d1ee3bb..ab28e20f12942 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -55,6 +55,9 @@ spec:
     description: Suffix that will be appended to the output image tag.
     name: output-tag-suffix
     type: string
+  - description: Makefile target to execute in order to determine base image tag.
+    name: base-image-tag-makefile-target
+    type: string
   - default: .
     description: Path to the source code of an application's component from where
       to build image.
@@ -190,6 +193,17 @@ spec:
     taskRef:
       name: determine-image-tag
 
+  - name: determine-base-image-tag
+    params:
+      - name: MAKEFILE_TARGET
+        value: $(params.base-image-tag-makefile-target)
+      - name: TAG_SUFFIX
+        value: $(params.output-tag-suffix)
+      - name: SOURCE_ARTIFACT
+        value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+    taskRef:
+      name: determine-image-tag
+
   - name: prefetch-dependencies
     params:
     - name: input

From 87225e9a2c131a133b8d960902df1f59312f7c8e Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 16 Aug 2024 12:42:15 +0200
Subject: [PATCH 05/18] Plug base image into dockerfile

---
 .konflux/konflux.retag.Dockerfile | 4 +++-
 .tekton/collector-retag.yaml      | 2 ++
 .tekton/retag-pipeline.yaml       | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.konflux/konflux.retag.Dockerfile b/.konflux/konflux.retag.Dockerfile
index 5185e6b70c8e3..fd38b49f867a3 100644
--- a/.konflux/konflux.retag.Dockerfile
+++ b/.konflux/konflux.retag.Dockerfile
@@ -1,3 +1,5 @@
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
 
 LABEL foo=bar
diff --git a/.tekton/collector-retag.yaml b/.tekton/collector-retag.yaml
index ccddc66dc2d75..31b9590fb34a9 100644
--- a/.tekton/collector-retag.yaml
+++ b/.tekton/collector-retag.yaml
@@ -31,6 +31,8 @@ spec:
     value: '52w'
   - name: output-image-repo
     value: quay.io/rhacs-eng/collector
+  - name: base-image-tag-makefile-target
+    value: collector-tag
   - name: path-context
     value: .
   - name: revision
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index ab28e20f12942..bc49ab5a18528 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -242,6 +242,7 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: BUILD_ARGS
       value:
+      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
       - VERSIONS_SUFFIX=$(params.output-tag-suffix)
       - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
     - name: SOURCE_ARTIFACT
@@ -280,6 +281,7 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: BUILD_ARGS
       value:
+      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
       - VERSIONS_SUFFIX=$(params.output-tag-suffix)
       - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
     - name: SOURCE_ARTIFACT
@@ -320,6 +322,7 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: BUILD_ARGS
       value:
+      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
       - VERSIONS_SUFFIX=$(params.output-tag-suffix)
       - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
     - name: SOURCE_ARTIFACT
@@ -360,6 +363,7 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: BUILD_ARGS
       value:
+      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
       - VERSIONS_SUFFIX=$(params.output-tag-suffix)
       - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
     - name: SOURCE_ARTIFACT

From 4d58f2314ecb243b5fdb8ed3e78e5e0cce02fc4b Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 16 Aug 2024 17:15:49 +0200
Subject: [PATCH 06/18] Try use build-image-manifest as a way to retag

---
 .tekton/retag-pipeline.yaml | 181 ++----------------------------------
 1 file changed, 8 insertions(+), 173 deletions(-)

diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index bc49ab5a18528..b714d386daaa6 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -123,9 +123,6 @@ spec:
   - description: ""
     name: CHAINS-GIT_COMMIT
     value: $(tasks.clone-repository.results.commit)
-  - description: ""
-    name: JAVA_COMMUNITY_DEPENDENCIES
-    value: $(tasks.build-container-amd64.results.JAVA_COMMUNITY_DEPENDENCIES)
 
   workspaces:
   - name: git-auth
@@ -224,168 +221,6 @@ spec:
         value: task
       resolver: bundles
 
-  - name: build-container-amd64
-    params:
-    - name: IMAGE
-      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-amd64
-    - name: DOCKERFILE
-      value: $(params.dockerfile)
-    - name: CONTEXT
-      value: $(params.path-context)
-    - name: HERMETIC
-      value: $(params.hermetic)
-    - name: PREFETCH_INPUT
-      value: $(params.prefetch-input)
-    - name: IMAGE_EXPIRES_AFTER
-      value: $(params.image-expires-after)
-    - name: COMMIT_SHA
-      value: $(tasks.clone-repository.results.commit)
-    - name: BUILD_ARGS
-      value:
-      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
-      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
-      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: CACHI2_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
-    taskRef:
-      params:
-      - name: name
-        value: buildah-oci-ta
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:f4c1b22c16dcc0356694ef37545ead51bce136807abd9bd71190d87c11629d96
-      - name: kind
-        value: task
-      resolver: bundles
-    when:
-    - input: $(tasks.init.results.build)
-      operator: in
-      values: [ "true" ]
-
-  - name: build-container-s390x
-    params:
-    - name: IMAGE
-      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-s390x
-    - name: DOCKERFILE
-      value: $(params.dockerfile)
-    - name: CONTEXT
-      value: $(params.path-context)
-    - name: HERMETIC
-      value: $(params.hermetic)
-    - name: PREFETCH_INPUT
-      value: $(params.prefetch-input)
-    - name: IMAGE_EXPIRES_AFTER
-      value: $(params.image-expires-after)
-    - name: COMMIT_SHA
-      value: $(tasks.clone-repository.results.commit)
-    - name: BUILD_ARGS
-      value:
-      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
-      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
-      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: CACHI2_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
-    - name: PLATFORM
-      value: linux/s390x
-    taskRef:
-      params:
-      - name: name
-        value: buildah-remote-oci-ta
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:680521ecc2c984adb9e14d88ecdb6a24fa0bd6980283918e5e70d5c599336236
-      - name: kind
-        value: task
-      resolver: bundles
-    when:
-    - input: $(tasks.init.results.build)
-      operator: in
-      values: [ "true" ]
-
-  - name: build-container-ppc64le
-    params:
-    - name: IMAGE
-      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-ppc64le
-    - name: DOCKERFILE
-      value: $(params.dockerfile)
-    - name: CONTEXT
-      value: $(params.path-context)
-    - name: HERMETIC
-      value: $(params.hermetic)
-    - name: PREFETCH_INPUT
-      value: $(params.prefetch-input)
-    - name: IMAGE_EXPIRES_AFTER
-      value: $(params.image-expires-after)
-    - name: COMMIT_SHA
-      value: $(tasks.clone-repository.results.commit)
-    - name: BUILD_ARGS
-      value:
-      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
-      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
-      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: CACHI2_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
-    - name: PLATFORM
-      value: linux/ppc64le
-    taskRef:
-      params:
-      - name: name
-        value: buildah-remote-oci-ta
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:680521ecc2c984adb9e14d88ecdb6a24fa0bd6980283918e5e70d5c599336236
-      - name: kind
-        value: task
-      resolver: bundles
-    when:
-    - input: $(tasks.init.results.build)
-      operator: in
-      values: [ "true" ]
-
-  - name: build-container-arm64
-    params:
-    - name: IMAGE
-      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-arm64
-    - name: DOCKERFILE
-      value: $(params.dockerfile)
-    - name: CONTEXT
-      value: $(params.path-context)
-    - name: HERMETIC
-      value: $(params.hermetic)
-    - name: PREFETCH_INPUT
-      value: $(params.prefetch-input)
-    - name: IMAGE_EXPIRES_AFTER
-      value: $(params.image-expires-after)
-    - name: COMMIT_SHA
-      value: $(tasks.clone-repository.results.commit)
-    - name: BUILD_ARGS
-      value:
-      - BASE_IMAGE=$(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
-      - VERSIONS_SUFFIX=$(params.output-tag-suffix)
-      - MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: CACHI2_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
-    - name: PLATFORM
-      value: linux/arm64
-    taskRef:
-      params:
-      - name: name
-        value: buildah-remote-oci-ta
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:680521ecc2c984adb9e14d88ecdb6a24fa0bd6980283918e5e70d5c599336236
-      - name: kind
-        value: task
-      resolver: bundles
-    when:
-    - input: $(tasks.init.results.build)
-      operator: in
-      values: [ "true" ]
-
   - name: build-image-manifest
     params:
     - name: IMAGE
@@ -394,10 +229,10 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: IMAGES
       value:
-      - $(tasks.build-container-amd64.results.IMAGE_REF)
-      - $(tasks.build-container-s390x.results.IMAGE_REF)
-      - $(tasks.build-container-ppc64le.results.IMAGE_REF)
-      - $(tasks.build-container-arm64.results.IMAGE_REF)
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
     - name: IMAGE_EXPIRES_AFTER
       value: $(params.image-expires-after)
     taskRef:
@@ -422,10 +257,10 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: IMAGES
       value:
-      - $(tasks.build-container-amd64.results.IMAGE_REF)
-      - $(tasks.build-container-s390x.results.IMAGE_REF)
-      - $(tasks.build-container-ppc64le.results.IMAGE_REF)
-      - $(tasks.build-container-arm64.results.IMAGE_REF)
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
+      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
     - name: IMAGE_EXPIRES_AFTER
       value: $(params.image-expires-after)
     taskRef:

From 3b80597c28056362abdaf6654b6858d119888c4a Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Tue, 10 Sep 2024 21:08:47 +0200
Subject: [PATCH 07/18] Delete retag.Dockerfile

because there's no need in it
---
 .konflux/konflux.retag.Dockerfile | 5 -----
 .tekton/collector-retag.yaml      | 2 --
 2 files changed, 7 deletions(-)
 delete mode 100644 .konflux/konflux.retag.Dockerfile

diff --git a/.konflux/konflux.retag.Dockerfile b/.konflux/konflux.retag.Dockerfile
deleted file mode 100644
index fd38b49f867a3..0000000000000
--- a/.konflux/konflux.retag.Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-ARG BASE_IMAGE
-
-FROM $BASE_IMAGE
-
-LABEL foo=bar
diff --git a/.tekton/collector-retag.yaml b/.tekton/collector-retag.yaml
index 31b9590fb34a9..7b28b85cdd6be 100644
--- a/.tekton/collector-retag.yaml
+++ b/.tekton/collector-retag.yaml
@@ -22,8 +22,6 @@ metadata:
 spec:
 
   params:
-  - name: dockerfile
-    value: .konflux/konflux.retag.Dockerfile
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after

From d845f90df1af34fab29269c8ad3a69ef5b702bd0 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Tue, 10 Sep 2024 21:11:10 +0200
Subject: [PATCH 08/18] Reformat retag-pipeline.yaml

---
 .tekton/retag-pipeline.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index b714d386daaa6..6c22fbefbfd4f 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -15,7 +15,7 @@ spec:
     # Run when any task has Failed
     - input: $(tasks.status)
       operator: in
-      values: ["Failed"]
+      values: [ "Failed" ]
     taskRef:
       params:
       - name: name
@@ -192,12 +192,12 @@ spec:
 
   - name: determine-base-image-tag
     params:
-      - name: MAKEFILE_TARGET
-        value: $(params.base-image-tag-makefile-target)
-      - name: TAG_SUFFIX
-        value: $(params.output-tag-suffix)
-      - name: SOURCE_ARTIFACT
-        value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+    - name: MAKEFILE_TARGET
+      value: $(params.base-image-tag-makefile-target)
+    - name: TAG_SUFFIX
+      value: $(params.output-tag-suffix)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     taskRef:
       name: determine-image-tag
 

From b5cf7819c0608b4b8f2f6ef78b4b3851bbd2b1b1 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Tue, 10 Sep 2024 21:17:23 +0200
Subject: [PATCH 09/18] Synchronize `retag-pipeline.yaml` from the fresh basic
 one

---
 .tekton/retag-pipeline.yaml | 42 +++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index 6c22fbefbfd4f..7346be258788a 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -169,7 +169,7 @@ spec:
       - name: name
         value: git-clone-oci-ta
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0f4360ce144d46171ebd2e8f4d4575539a0600e02208ba5fc9beeb2c27ddfd4c
+        value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:b03bb5e21665b17ae2f645496013a072b00f1a174024dc1ff41dc626f364c66b
       - name: kind
         value: task
       resolver: bundles
@@ -216,7 +216,7 @@ spec:
       - name: name
         value: prefetch-dependencies-oci-ta
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:f13f6783f73971e4d1fbe8fd7fde3ea6cc080943c3fe2a4338ce6373c43f26a7
+        value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:e94e26372125c35ae4c88bcccf7036624bd71f4dce7a7d710cdaae635063a2a6
       - name: kind
         value: task
       resolver: bundles
@@ -240,7 +240,7 @@ spec:
       - name: name
         value: build-image-manifest
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:51f3122b7a2b34c04f0b142d853a49b992d609527825e9c1fa2110a8e55d795d
+        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:ff7779cea8cd99c211e690f218fc367fe30374e528bb53507a73c7214be8ce9d
       - name: kind
         value: task
       resolver: bundles
@@ -268,7 +268,7 @@ spec:
       - name: name
         value: build-image-manifest
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:51f3122b7a2b34c04f0b142d853a49b992d609527825e9c1fa2110a8e55d795d
+        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:ff7779cea8cd99c211e690f218fc367fe30374e528bb53507a73c7214be8ce9d
       - name: kind
         value: task
       resolver: bundles
@@ -290,7 +290,7 @@ spec:
       - name: name
         value: source-build-oci-ta
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:99ee22c5e8e8a66da3d68ec5f3334e7cc59f8b8907e9d2a78f7338aa37d952eb
+        value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:639995e4221da90f5a9fc14dacd0dba384e2a37e3a2c7aa5dafec3c2ab3f5f74
       - name: kind
         value: task
       resolver: bundles
@@ -342,26 +342,28 @@ spec:
       operator: in
       values: [ "false" ]
 
-  - name: sast-snyk-check
+  - name: ecosystem-cert-preflight-checks
     params:
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: image-url
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
     taskRef:
       params:
       - name: name
-        value: sast-snyk-check-oci-ta
+        value: ecosystem-cert-preflight-checks
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:a5b18d0949240e2fc919277970fc1a9c4a0b13c4dec2bdf3ef579bc502a6f3d6
+        value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:5131cce0f93d0b728c7bcc0d6cee4c61d4c9f67c6d619c627e41e3c9775b497d
       - name: kind
         value: task
       resolver: bundles
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: [ "false" ]
+      values: ["false"]
 
-  - name: clamav-scan
+  - name: sast-snyk-check
     params:
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
     - name: image-digest
       value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
     - name: image-url
@@ -369,9 +371,9 @@ spec:
     taskRef:
       params:
       - name: name
-        value: clamav-scan
+        value: sast-snyk-check-oci-ta
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:ea69f63ce7b25ebc39b817a5dd3f11e408518ac21e38baa54bd576a2e2f34b46
+        value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:c2f5eb19cfe6e48595368cc50907be74a7c8a375866ad16e7663df540825af6b
       - name: kind
         value: task
       resolver: bundles
@@ -380,18 +382,18 @@ spec:
       operator: in
       values: [ "false" ]
 
-  - name: sbom-json-check
+  - name: clamav-scan
     params:
-    - name: IMAGE_URL
-      value: $(tasks.build-image-manifest.results.IMAGE_URL)
-    - name: IMAGE_DIGEST
+    - name: image-digest
       value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
+    - name: image-url
+      value: $(tasks.build-image-manifest.results.IMAGE_URL)
     taskRef:
       params:
       - name: name
-        value: sbom-json-check
+        value: clamav-scan
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:89b375e21613aa48a48bec8d61a166e07155e1282456c17dd794cd59933cdeaa
+        value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:7bb17b937c9342f305468e8a6d0a22493e3ecde58977bd2ffc8b50e2fa234d58
       - name: kind
         value: task
       resolver: bundles

From d92e09a14fd38c7c8025b3002b570dbc4b523a68 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Tue, 10 Sep 2024 21:18:51 +0200
Subject: [PATCH 10/18] Reformat once more

---
 .tekton/retag-pipeline.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index 7346be258788a..f50abeef95f1a 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -358,7 +358,7 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
 
   - name: sast-snyk-check
     params:

From 776b738a76b61ebad6bb2bc025918dad4ec62e06 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Wed, 11 Sep 2024 12:08:05 +0200
Subject: [PATCH 11/18] Update and move collector full retagging

---
 ...lector-retag.yaml => collector-full-retag.yaml} | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)
 rename .tekton/{collector-retag.yaml => collector-full-retag.yaml} (86%)

diff --git a/.tekton/collector-retag.yaml b/.tekton/collector-full-retag.yaml
similarity index 86%
rename from .tekton/collector-retag.yaml
rename to .tekton/collector-full-retag.yaml
index 7b28b85cdd6be..778a27810875b 100644
--- a/.tekton/collector-retag.yaml
+++ b/.tekton/collector-full-retag.yaml
@@ -25,8 +25,7 @@ spec:
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after
-    # TODO(ROX-24530): return expiration for non-released images to 13w
-    value: '52w'
+    value: '13w'
   - name: output-image-repo
     value: quay.io/rhacs-eng/collector
   - name: base-image-tag-makefile-target
@@ -37,9 +36,8 @@ spec:
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  # TODO(ROX-24468): Enable hermetic builds for retagging
-  # - name: hermetic
-  #   value: 'true'
+  - name: hermetic
+    value: 'true'
   # No language dependencies are required for retagging builds.
   - name: prefetch-input
     value: ''
@@ -61,8 +59,8 @@ spec:
   taskRunSpecs:
 
   timeouts:
-    # The tasks regularly takes 1h to finish.
-    tasks: 1h
+    # Retagging pipeline should be quick-ish.
+    tasks: 30m
     # Reserve time for final tasks to run.
     finally: 10m
-    pipeline: 1h10m
+    pipeline: 40m

From 324afdace4f951cec4d41d4462a162966dc8e8ec Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 13 Sep 2024 18:04:33 +0200
Subject: [PATCH 12/18] Add collector-slim retag pipeline

---
 .tekton/collector-full-retag.yaml |  2 +
 .tekton/collector-slim-retag.yaml | 68 +++++++++++++++++++++++++++++++
 .tekton/retag-pipeline.yaml       | 25 +++++++-----
 3 files changed, 84 insertions(+), 11 deletions(-)
 create mode 100644 .tekton/collector-slim-retag.yaml

diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml
index 778a27810875b..a801e21016e51 100644
--- a/.tekton/collector-full-retag.yaml
+++ b/.tekton/collector-full-retag.yaml
@@ -28,6 +28,8 @@ spec:
     value: '13w'
   - name: output-image-repo
     value: quay.io/rhacs-eng/collector
+  - name: base-image-repo
+    value: quay.io/rhacs-eng/collector
   - name: base-image-tag-makefile-target
     value: collector-tag
   - name: path-context
diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml
new file mode 100644
index 0000000000000..82fcc13fecbd4
--- /dev/null
+++ b/.tekton/collector-slim-retag.yaml
@@ -0,0 +1,68 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "500"
+    # TODO(ROX-21073): re-enable for all PR branches
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      (event == "push" && target_branch.matches("^(master|release-.*)$")) ||
+      (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
+  labels:
+    appstudio.openshift.io/application: acs
+    appstudio.openshift.io/component: collector
+    pipelines.appstudio.openshift.io/type: build
+  name: collector-slim-retag
+  namespace: rh-acs-tenant
+
+spec:
+
+  params:
+  - name: git-url
+    value: '{{repo_url}}'
+  - name: image-expires-after
+    value: '13w'
+  - name: output-image-repo
+    value: quay.io/rhacs-eng/collector-slim
+  - name: base-image-repo
+    value: quay.io/rhacs-eng/collector
+  - name: base-image-tag-makefile-target
+    value: collector-tag
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  - name: rebuild
+    value: 'true'
+  - name: hermetic
+    value: 'true'
+  # No language dependencies are required for retagging builds.
+  - name: prefetch-input
+    value: ''
+  - name: build-source-image
+    value: 'true'
+  - name: clone-depth
+    value: '0'
+  - name: clone-fetch-tags
+    value: 'true'
+
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+
+  pipelineRef:
+    name: retag-pipeline
+
+  taskRunSpecs:
+
+  timeouts:
+    # Retagging pipeline should be quick-ish.
+    tasks: 30m
+    # Reserve time for final tasks to run.
+    finally: 10m
+    pipeline: 40m
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index f50abeef95f1a..8357de819cfc5 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -55,7 +55,10 @@ spec:
     description: Suffix that will be appended to the output image tag.
     name: output-tag-suffix
     type: string
-  - description: Makefile target to execute in order to determine base image tag.
+  - description: Base (input) Image Repository
+    name: base-image-repo
+    type: string
+  - description: Makefile target to execute in order to determine base (input) image tag.
     name: base-image-tag-makefile-target
     type: string
   - default: .
@@ -181,7 +184,7 @@ spec:
     - name: basic-auth
       workspace: git-auth
 
-  - name: determine-image-tag
+  - name: determine-output-image-tag
     params:
     - name: TAG_SUFFIX
       value: $(params.output-tag-suffix)
@@ -224,15 +227,15 @@ spec:
   - name: build-image-manifest
     params:
     - name: IMAGE
-      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)
+      value: $(params.output-image-repo):$(tasks.determine-output-image-tag.results.IMAGE_TAG)
     - name: COMMIT_SHA
       value: $(tasks.clone-repository.results.commit)
     - name: IMAGES
       value:
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
     - name: IMAGE_EXPIRES_AFTER
       value: $(params.image-expires-after)
     taskRef:
@@ -257,10 +260,10 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: IMAGES
       value:
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
-      - $(params.output-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le
+      - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64
     - name: IMAGE_EXPIRES_AFTER
       value: $(params.image-expires-after)
     taskRef:

From dfb918c99752a82980d6502d179c0931ab2f6954 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 13 Sep 2024 18:06:11 +0200
Subject: [PATCH 13/18] Remove build-source-image and sast-snyk-check

because these pipelines may overwrite the original side-artifacts
and we don't want that.
---
 .tekton/retag-pipeline.yaml | 51 -------------------------------------
 1 file changed, 51 deletions(-)

diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index 8357de819cfc5..ee4dd566e579b 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -96,10 +96,6 @@ spec:
       1h, 2d, 3w for hours, days, and weeks, respectively.
     name: image-expires-after
     type: string
-  - default: "true"
-    description: Build a source image.
-    name: build-source-image
-    type: string
   - default: "0"
     description: Depth of the git clone in number of commits. Use "1" for shallow clone. Use "0" for deep clone, i.e. to fetch all commits.
     name: clone-depth
@@ -280,31 +276,6 @@ spec:
       operator: in
       values: [ "true" ]
 
-  - name: build-source-image
-    params:
-    - name: BINARY_IMAGE
-      value: $(tasks.build-image-manifest.results.IMAGE_URL)
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: CACHI2_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
-    taskRef:
-      params:
-      - name: name
-        value: source-build-oci-ta
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:639995e4221da90f5a9fc14dacd0dba384e2a37e3a2c7aa5dafec3c2ab3f5f74
-      - name: kind
-        value: task
-      resolver: bundles
-    when:
-    - input: $(tasks.init.results.build)
-      operator: in
-      values: [ "true" ]
-    - input: $(params.build-source-image)
-      operator: in
-      values: [ "true" ]
-
   - name: deprecated-base-image-check
     params:
     - name: IMAGE_URL
@@ -363,28 +334,6 @@ spec:
       operator: in
       values: [ "false" ]
 
-  - name: sast-snyk-check
-    params:
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: image-digest
-      value: $(tasks.build-image-manifest.results.IMAGE_DIGEST)
-    - name: image-url
-      value: $(tasks.build-image-manifest.results.IMAGE_URL)
-    taskRef:
-      params:
-      - name: name
-        value: sast-snyk-check-oci-ta
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:c2f5eb19cfe6e48595368cc50907be74a7c8a375866ad16e7663df540825af6b
-      - name: kind
-        value: task
-      resolver: bundles
-    when:
-    - input: $(params.skip-checks)
-      operator: in
-      values: [ "false" ]
-
   - name: clamav-scan
     params:
     - name: image-digest

From 8686d35abb6c74778e93752da81b932e3920bdc1 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 13 Sep 2024 18:07:58 +0200
Subject: [PATCH 14/18] Remove prefetch because nothing depends on it any more

---
 .tekton/collector-full-retag.yaml |  3 ---
 .tekton/collector-slim-retag.yaml |  3 ---
 .tekton/retag-pipeline.yaml       | 24 ------------------------
 3 files changed, 30 deletions(-)

diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml
index a801e21016e51..642910282595c 100644
--- a/.tekton/collector-full-retag.yaml
+++ b/.tekton/collector-full-retag.yaml
@@ -40,9 +40,6 @@ spec:
     value: 'true'
   - name: hermetic
     value: 'true'
-  # No language dependencies are required for retagging builds.
-  - name: prefetch-input
-    value: ''
   - name: build-source-image
     value: 'true'
   - name: clone-depth
diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml
index 82fcc13fecbd4..145d92021ff8a 100644
--- a/.tekton/collector-slim-retag.yaml
+++ b/.tekton/collector-slim-retag.yaml
@@ -40,9 +40,6 @@ spec:
     value: 'true'
   - name: hermetic
     value: 'true'
-  # No language dependencies are required for retagging builds.
-  - name: prefetch-input
-    value: ''
   - name: build-source-image
     value: 'true'
   - name: clone-depth
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index ee4dd566e579b..efb9c8002bb2a 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -83,10 +83,6 @@ spec:
     description: Execute the build with network isolation
     name: hermetic
     type: string
-  - default: ""
-    description: Build dependencies to be prefetched by Cachi2
-    name: prefetch-input
-    type: string
   - default: "false"
     description: Java build
     name: java
@@ -200,26 +196,6 @@ spec:
     taskRef:
       name: determine-image-tag
 
-  - name: prefetch-dependencies
-    params:
-    - name: input
-      value: $(params.prefetch-input)
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
-    - name: ociStorage
-      value: $(params.output-image-repo):konflux-$(params.revision).prefetch
-    - name: ociArtifactExpiresAfter
-      value: $(params.oci-artifact-expires-after)
-    taskRef:
-      params:
-      - name: name
-        value: prefetch-dependencies-oci-ta
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:e94e26372125c35ae4c88bcccf7036624bd71f4dce7a7d710cdaae635063a2a6
-      - name: kind
-        value: task
-      resolver: bundles
-
   - name: build-image-manifest
     params:
     - name: IMAGE

From bc2455bede28f457c49ad9ab34a707e3ca06588a Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 13 Sep 2024 18:08:31 +0200
Subject: [PATCH 15/18] fixup! Remove build-source-image and sast-snyk-check

---
 .tekton/collector-full-retag.yaml | 2 --
 .tekton/collector-slim-retag.yaml | 2 --
 2 files changed, 4 deletions(-)

diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml
index 642910282595c..6d47016141f40 100644
--- a/.tekton/collector-full-retag.yaml
+++ b/.tekton/collector-full-retag.yaml
@@ -40,8 +40,6 @@ spec:
     value: 'true'
   - name: hermetic
     value: 'true'
-  - name: build-source-image
-    value: 'true'
   - name: clone-depth
     value: '0'
   - name: clone-fetch-tags
diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml
index 145d92021ff8a..4e0523c920bcc 100644
--- a/.tekton/collector-slim-retag.yaml
+++ b/.tekton/collector-slim-retag.yaml
@@ -40,8 +40,6 @@ spec:
     value: 'true'
   - name: hermetic
     value: 'true'
-  - name: build-source-image
-    value: 'true'
   - name: clone-depth
     value: '0'
   - name: clone-fetch-tags

From 91d52f4fe3e37ca69c13401eb7922de963bd07ae Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 13 Sep 2024 18:10:10 +0200
Subject: [PATCH 16/18] Remove path-context and dockerfile

---
 .tekton/collector-full-retag.yaml |  2 --
 .tekton/collector-slim-retag.yaml |  2 --
 .tekton/retag-pipeline.yaml       | 10 ----------
 3 files changed, 14 deletions(-)

diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml
index 6d47016141f40..e3dc282f3a3d5 100644
--- a/.tekton/collector-full-retag.yaml
+++ b/.tekton/collector-full-retag.yaml
@@ -32,8 +32,6 @@ spec:
     value: quay.io/rhacs-eng/collector
   - name: base-image-tag-makefile-target
     value: collector-tag
-  - name: path-context
-    value: .
   - name: revision
     value: '{{revision}}'
   - name: rebuild
diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml
index 4e0523c920bcc..24382632e63c4 100644
--- a/.tekton/collector-slim-retag.yaml
+++ b/.tekton/collector-slim-retag.yaml
@@ -32,8 +32,6 @@ spec:
     value: quay.io/rhacs-eng/collector
   - name: base-image-tag-makefile-target
     value: collector-tag
-  - name: path-context
-    value: .
   - name: revision
     value: '{{revision}}'
   - name: rebuild
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index efb9c8002bb2a..0baa1869492e6 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -61,16 +61,6 @@ spec:
   - description: Makefile target to execute in order to determine base (input) image tag.
     name: base-image-tag-makefile-target
     type: string
-  - default: .
-    description: Path to the source code of an application's component from where
-      to build image.
-    name: path-context
-    type: string
-  - default: Dockerfile
-    description: Path to the Dockerfile inside the context specified by parameter
-      path-context
-    name: dockerfile
-    type: string
   - default: "false"
     description: Force rebuild image
     name: rebuild

From cd8c97aab66ed36a2295c9c03b71846af6b18049 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 13 Sep 2024 18:10:53 +0200
Subject: [PATCH 17/18] Remove `hermetic` param

because nothing reads it as well
---
 .tekton/collector-full-retag.yaml | 2 --
 .tekton/collector-slim-retag.yaml | 2 --
 .tekton/retag-pipeline.yaml       | 4 ----
 3 files changed, 8 deletions(-)

diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml
index e3dc282f3a3d5..e901edf13d0bf 100644
--- a/.tekton/collector-full-retag.yaml
+++ b/.tekton/collector-full-retag.yaml
@@ -36,8 +36,6 @@ spec:
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  - name: hermetic
-    value: 'true'
   - name: clone-depth
     value: '0'
   - name: clone-fetch-tags
diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml
index 24382632e63c4..ed4b5f5658369 100644
--- a/.tekton/collector-slim-retag.yaml
+++ b/.tekton/collector-slim-retag.yaml
@@ -36,8 +36,6 @@ spec:
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  - name: hermetic
-    value: 'true'
   - name: clone-depth
     value: '0'
   - name: clone-fetch-tags
diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index 0baa1869492e6..8df6c13f0a1d3 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -69,10 +69,6 @@ spec:
     description: Skip checks against built image
     name: skip-checks
     type: string
-  - default: "false"
-    description: Execute the build with network isolation
-    name: hermetic
-    type: string
   - default: "false"
     description: Java build
     name: java

From 3490c94526ccd9d0f6b736a13ec91ef63549068d Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Fri, 13 Sep 2024 18:11:20 +0200
Subject: [PATCH 18/18] Remove java param

---
 .tekton/retag-pipeline.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml
index 8df6c13f0a1d3..34e0891bd15cc 100644
--- a/.tekton/retag-pipeline.yaml
+++ b/.tekton/retag-pipeline.yaml
@@ -69,10 +69,6 @@ spec:
     description: Skip checks against built image
     name: skip-checks
     type: string
-  - default: "false"
-    description: Java build
-    name: java
-    type: string
   - default: ""
     description: Image tag expiration time, time values could be something like
       1h, 2d, 3w for hours, days, and weeks, respectively.