stackrox · msugakov · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
@@ -9,17 +9,13 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     pipelinesascode.tekton.dev/on-comment: "/konflux-retest create-custom-snapshot"
+    # Unlike other pipelines, this one is enabled for all PRs. See the description of determine-actual-build task.
+    # The condition for a label is to make sure the konflux-build label addition activates this pipeline, same as others.
     # TODO(ROX-21073): re-enable for all PR branches
     pipelinesascode.tekton.dev/on-cel-expression: |
-      (
-        event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")
-      ) || (
-        event == "pull_request" && (
-          target_branch.startsWith("release-") ||
-          source_branch.matches("(konflux|renovate|appstudio|rhtap)") ||
-          (has(body.pull_request) && has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == "konflux-build"))
-        ) && body.action != "ready_for_review"
-      )
+      (event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")) ||
+      (event == "pull_request" && body.action != "ready_for_review") ||
+      (has(body.pull_request) && has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == "konflux-build"))
     # The empty `on-label` annotation is a workaround to make sure the pipeline gets triggered when the label gets first
     # added to the PR. See the Slack tread linked from ROX-30580.
     pipelinesascode.tekton.dev/on-label: "[]"
@@ -124,6 +120,67 @@ spec:
     - name: post-metric-start
       taskRef: *post-bigquery-metrics-ref
 
+    # TODO: event_type=on-comment and the rest
+    - name: determine-actual-build
+      taskSpec:
+        description: |
+          Determines whether the actual tasks in the pipeline should be skipped or executed.
+          Tasks will be skipped on PRs where Konflux builds aren't enabled (TODO: ROX-21073), see
+          `pipelinesascode.tekton.dev/on-cel-expression` annotation in `*-build.yaml` files.
+          This all is needed because we want to always run this `create-custom-snapshot` pipeline and make it part of
+          required GitHub checks in branch protection rules.
+        results:
+        - name: SHOULD_REALLY_WORK
+        steps:
+        - name: determine
+          image: registry.redhat.io/ubi9-minimal:latest@sha256:fe688da81a696387ca53a4c19231e99289591f990c904ef913c51b6e87d4e4df
+          # The script expresses the same condition as pipelinesascode.tekton.dev/on-cel-expression in other pipelines
+          # but in a more verbose way because, as it turns out, both syntax and fields of CEL expressions are slightly
+          # different.
+          script: |
+            set -euo pipefail
+
+            function assert_boolean() {
+              if [[ "${2:-}" != "" ]]; then
+                echo "${2}"
+              fi
+              echo "${1}: ${!1}"
+              if [[ "${!1}" != "true" && "${!1}" != "false" ]]; then
+                >&2 echo "Error: not a boolean value: ${!1}"
+                exit 2
+              fi
+            }
+
+            is_pull_request="false"
+            [[ "{{ pull_request_number }}" == "" ]] || is_pull_request="true"
+            assert_boolean is_pull_request "pull_request_number: {{ pull_request_number }}"
+
+            is_matching_target_branch='{{ cel: target_branch.startsWith("release-") }}'
+            assert_boolean is_matching_target_branch "target_branch: {{ target_branch }}"
+
+            is_matching_source_branch='{{ cel: source_branch.matches("(konflux|renovate|appstudio|rhtap)") }}'
+            assert_boolean is_matching_source_branch "source_branch: {{ source_branch }}"
+
+            has_konflux_build_label_as_pr='{{ cel: has(body.pull_request) && has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == "konflux-build") }}'
+            assert_boolean has_konflux_build_label_as_pr
+
+            has_konflux_build_label_as_issue='{{ cel: has(body.issue) && has(body.issue.labels) && body.issue.labels.exists(l, l.name == "konflux-build") }}'
+            assert_boolean has_konflux_build_label_as_issue
+
+            result="false"
+            if [[ "${is_pull_request}" != "true" || "${is_matching_target_branch}" == "true" || "${is_matching_source_branch}" == "true" || "${has_konflux_build_label_as_pr}" == "true" || "${has_konflux_build_label_as_issue}" == "true" ]]; then
+              result="true"
+            fi
+            echo -n "The result is: "
+            echo -n "${result}" | tee "$(results.SHOULD_REALLY_WORK.path)"
+            echo
+
+            echo '-----------'
+            echo 'full body, for diagnostics if anything fails:'
+            cat <<EOF
+              {{ cel: body }}
+            EOF
+
     - name: clone-repository
       params:
       - name: url
@@ -150,6 +207,10 @@ spec:
       workspaces:
       - name: basic-auth
         workspace: git-auth
+      when:
+      - input: $(tasks.determine-actual-build.results.SHOULD_REALLY_WORK)
+        operator: in
+        values: [ "true" ]
 
     - name: determine-image-tag
       params:
@@ -166,6 +227,10 @@ spec:
         - name: kind
           value: task
         resolver: bundles
+      when:
+      - input: $(tasks.determine-actual-build.results.SHOULD_REALLY_WORK)
+        operator: in
+        values: [ "true" ]
 
     - name: wait-for-bundle-image
       params:
@@ -182,6 +247,10 @@ spec:
         resolver: bundles
       # The timemout should be kept in sync with the pipeline timeout in the operator-bundle-build.yaml
       timeout: 3h25m
+      when:
+      - input: $(tasks.determine-actual-build.results.SHOULD_REALLY_WORK)
+        operator: in
+        values: [ "true" ]
 
     - name: create-acs-style-snapshot
       params:
@@ -269,3 +338,7 @@ spec:
         - name: kind
           value: task
         resolver: bundles
+      when:
+      - input: $(tasks.determine-actual-build.results.SHOULD_REALLY_WORK)
+        operator: in
+        values: [ "true" ]