address review comments

Author: anithapriyanatarajan

.github/workflows/nightly-builds.yaml

@@ -10,44 +10,19 @@ on:
         description: 'Kubernetes version to test with'
         required: false
         default: 'v1.33.0'
-        type: choice
-        options:
-          - v1.33.0
-          - v1.32.0
-          - v1.31.0
-      dry_run:
-        description: 'Perform dry run (no actual publishing)'
-        required: false
-        default: false
-        type: boolean
       nightly_bucket:
         description: 'Nightly bucket for builds'
         required: false
         default: 'gs://tekton-releases-nightly/pipeline'
         type: string
-  # uncomment the following to enable manual testing of the workflow
-  # push:
-  #   branches:
-  #     - test-rel
-  #   paths:
-  #     - '.github/workflows/nightly-builds.yaml'
-  #     - 'tekton/**'
-  #     - 'cmd/**'
-  #     - 'pkg/**'
 
 env:
   KUBERNETES_VERSION: ${{ inputs.kubernetes_version || 'v1.33.0' }}
   REGISTRY: ghcr.io
-  DRY_RUN: ${{ inputs.dry_run || false }}
-
-  COMPONENT: pipeline
-
   PACKAGE: github.com/${{ github.repository }}
-  GIT_ORG: ${{ github.repository_owner }}
-  GIT_REPO: ${{ github.event.repository.name }}
-  BUCKET: ${{ inputs.nightly_bucket || 'gs://anitha-tekton-nightly-test/pipeline' }}
+  BUCKET: ${{ inputs.nightly_bucket || 'gs://tekton-releases-nightly/pipeline' }}
   IMAGE_REGISTRY_PATH: ${{ github.repository }}
-  IMAGE_REGISTRY_USER: ${{ github.actor }}
+  IMAGE_REGISTRY_USER: tekton-robot
 
 jobs:
   build:
@@ -90,28 +65,33 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }}
         run: |
+          # Create Git authentication secret with proper Tekton annotations
           kubectl create secret generic git-resolver-secret \
             --from-literal=token="${GITHUB_TOKEN}" \
             -n tekton-pipelines-resolvers || true
 
-          kubectl patch configmap resolvers-feature-flags -n tekton-pipelines-resolvers --patch='
-          data:
-            enable-git-resolver: "true"
-            enable-hub-resolver: "true"
-            enable-bundles-resolver: "true"
-            enable-cluster-resolver: "true"
-          ' || true
+          kubectl annotate secret git-resolver-secret \
+            tekton.dev/git-0=github.com \
+            -n tekton-pipelines-resolvers || true
 
+          kubectl create secret generic git-resolver-secret \
+            --from-literal=token="${GITHUB_TOKEN}" \
+            -n default || true
+
+          kubectl annotate secret git-resolver-secret \
+            tekton.dev/git-0=github.com \
+            -n default || true
+          
           kubectl patch configmap git-resolver-config -n tekton-pipelines-resolvers --patch='
           data:
-            default-url: "https://github.com"
-            default-revision: "main"
-            fetch-timeout: "1m"
-            scm-type: "github"
-            server-url: "https://api.github.com"
             api-token-secret-name: "git-resolver-secret"
             api-token-secret-key: "token"
           ' || true
+ 
+          kubectl patch configmap feature-flags -n tekton-pipelines --patch='
+          data:
+            enable-cel-in-whenexpression: "true"
+          ' || true
 
       - name: Install tkn CLI
         uses: tektoncd/actions/setup-tektoncd-cli@main
@@ -120,24 +100,30 @@ jobs:
 
       - name: Apply Build Pipeline Definition
         run: |
-          kubectl apply -f tekton/publish.yaml
-          kubectl apply -f tekton/release-pipeline.yaml
+          kustomize build tekton | kubectl apply -f -
 
-      - name: Create secrets and PVC template
+      - name: Create secrets, service account and PVC template
         env:
           GCS_SERVICE_ACCOUNT_KEY: ${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}
           GHCR_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }}
+          IMAGE_REGISTRY_USER: ${{ env.IMAGE_REGISTRY_USER }}
         run: |
+          # Create GCS service account secret for release bucket access
           echo "${GCS_SERVICE_ACCOUNT_KEY}" > /tmp/gcs-key.json
           kubectl create secret generic release-secret \
             --from-file=release.json=/tmp/gcs-key.json
           rm -f /tmp/gcs-key.json
-
-          kubectl create secret docker-registry ghcr-creds \
-            --docker-server=ghcr.io \
-            --docker-username=${{ github.actor }} \
-            --docker-password="${GHCR_TOKEN}" \
-            --docker-email=${{ github.actor }}@users.noreply.github.com
+          
+          # Create a Kubernetes secret for GHCR authentication.
+          # This version creates the secret with a custom key name `docker-config.json`
+          # (instead of the default `.dockerconfigjson`) to match what the publish task expects.
+          echo "${GHCR_TOKEN}" > /tmp/docker-config.json
+          kubectl create secret generic release-images-secret \
+            --from-file=docker-config.json=/tmp/docker-config.json
+          rm -f /tmp/docker-config.json
+
+          # Apply service account configuration with proper RBAC
+          kubectl apply -f tekton/account.yaml
 
           cat > workspace-template.yaml << EOF
           spec:
@@ -155,6 +141,7 @@ jobs:
           echo "Starting Tekton pipeline..."
 
           PIPELINE_RUN=$(tkn pipeline start pipeline-release \
+            --serviceaccount=release-right-meow \
             --param package="${{ env.PACKAGE }}" \
             --param gitRevision="${{ steps.version.outputs.latest_sha }}" \
             --param versionTag="${{ steps.version.outputs.version_tag }}" \
@@ -163,17 +150,18 @@ jobs:
             --param imageRegistryPath="${{ env.IMAGE_REGISTRY_PATH }}" \
             --param imageRegistryUser="${{ env.IMAGE_REGISTRY_USER }}" \
             --param imageRegistryRegions="" \
-            --param buildPlatforms="linux/amd64" \
-            --param publishPlatforms="linux/amd64" \
+            --param buildPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" \
+            --param publishPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64" \
             --param koExtraArgs="" \
             --param serviceAccountPath=release.json \
-            --param serviceAccountImagesPath=.dockerconfigjson \
-            --param releaseAsLatest="false" \
+            --param serviceAccountImagesPath=docker-config.json \
+            --param releaseAsLatest="true" \
             --param runTests="false" \
             --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
             --workspace name=release-secret,secret=release-secret \
-            --workspace name=release-images-secret,secret=ghcr-creds \
-            --pipeline-timeout 2h \
+            --workspace name=release-images-secret,secret=release-images-secret \
+            --tasks-timeout 2h \
+            --pipeline-timeout 3h \
             --output name) || {
             echo "Failed to start Tekton pipeline!"
             exit 1

tekton/account.yaml

@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: release-right-meow
+secrets:
+- name: release-secret
+- name: git-resolver-secret
+- name: release-images-secret 
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kube-api-secret
+  annotations:
+    kubernetes.io/service-account.name: release-right-meow
+type: kubernetes.io/service-account-token
+
+---
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pipeline-role
+rules:
+- apiGroups: [""]
+  resources: ["services", "configmaps", "secrets"]
+  verbs: ["get", "create", "update", "patch", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "create", "update", "patch", "list"]
+- apiGroups: ["tekton.dev"]
+  resources: ["pipelines", "pipelineruns", "tasks", "taskruns"]
+  verbs: ["get", "create", "update", "patch", "list"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pipeline-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pipeline-role
+subjects:
+- kind: ServiceAccount
+  name: release-right-meow 

tekton/publish.yaml

@@ -16,7 +16,7 @@ spec:
       description: Extra args to be passed to ko
       default: "--preserve-import-paths"
     - name: versionTag
-      description: Version tag (X.Y.Z for stable, vYYYYMMDD-abc1234 for nightly)
+      description: The version, vX.Y.Z for stable, vYYYYMMDD-abc1234 for nightly that the artifacts should be tagged with (including `v`).
     - name: imageRegistry
       description: The target image registry
       default: ghcr.io
@@ -41,9 +41,9 @@ spec:
       description: >-
         The workspace where the repo has been cloned. This should ideally
         be /go/src/$(params.package) however that is not possible today,
-        see https://github.com/tektoncd/pipeline/issues/3786. For nightly builds
-        on forks, we use a more generic mount path that works across repositories.
-      mountPath: /go/src/repo
+        see https://github.com/tektoncd/pipeline/issues/3786. To use this
+        task on a fork of pipeline change the mountPath below
+      mountPath: /go/src/github.com/tektoncd/pipeline
     - name: release-secret
       description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
     - name: output
@@ -73,57 +73,23 @@ spec:
   steps:
 
   - name: container-registry-auth
-    image: cgr.dev/chainguard/crane:latest-dev@sha256:68d9b984ee9cb5ff9cf7a779e8bdf3c2022f9042abfa1f0f5727a082a9429535
+    image: cgr.dev/chainguard/crane:latest-dev@sha256:430c7813147443b59185d79ce7f5d682698a9fc3072f100850dc3a04100c1d91
     script: |
       #!/bin/sh
       set -ex
 
-      # For GHCR (GitHub Container Registry), handle authentication differently
-      if [[ "$(params.imageRegistry)" == "ghcr.io" ]]; then
-        echo "🔍 Configuring authentication for GitHub Container Registry"
-
-        # For GHCR with Docker registry secrets, the secret structure is different
-        # Check if we have a .dockerconfigjson file (from kubectl create secret docker-registry)
-        if [[ -f "$(workspaces.release-secret.path)/.dockerconfigjson" ]]; then
-          echo "Using Docker registry secret format"
-          cp "$(workspaces.release-secret.path)/.dockerconfigjson" /workspace/docker-config.json
-        elif [[ -f "${CONTAINER_REGISTRY_CREDENTIALS}" ]]; then
-          # Check if it's a docker config.json or a simple token
-          if cat ${CONTAINER_REGISTRY_CREDENTIALS} | jq -r '.auths // empty' >/dev/null 2>&1; then
-            # It's a docker config.json, copy it directly
-            echo "Using docker config.json format"
-            cp ${CONTAINER_REGISTRY_CREDENTIALS} /workspace/docker-config.json
-          else
-            # It's a simple token, create docker config
-            echo "Using token-based authentication"
-            TOKEN=$(cat ${CONTAINER_REGISTRY_CREDENTIALS})
-
-            # Create docker config for GHCR
-            mkdir -p ~/.docker
-            echo '{"auths":{"ghcr.io":{"auth":"'$(echo -n "${CONTAINER_REGISTRY_USER}:${TOKEN}" | base64 -w 0)'"}}}' > ~/.docker/config.json
-            cp ~/.docker/config.json /workspace/docker-config.json
-          fi
-        else
-          echo "Credentials file not found: ${CONTAINER_REGISTRY_CREDENTIALS}"
-          exit 1
-        fi
-      else
-        # Original GCR authentication logic
-        echo "🔍 Configuring authentication for GCR/other registries"
-
-        # Login to the container registry
-        DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
-          crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
-          sed -n 's,^.*logged in via \(.*\)$,\1,p')
+      # Login to the container registry
+      DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
+        crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
+        sed -n 's,^.*logged in via \(.*\)$,\1,p')
 
-        # Auth with account credentials for all regions.
-        for region in ${REGIONS}
-        do
-          HOSTNAME=${region}.$(params.imageRegistry)
-          cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
-        done
-        cp ${DOCKER_CONFIG} /workspace/docker-config.json
-      fi
+      # Auth with account credentials for all regions.
+      for region in ${REGIONS}
+      do
+        HOSTNAME=${region}.$(params.imageRegistry)
+        cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
+      done
+      cp ${DOCKER_CONFIG} /workspace/docker-config.json
 
   - name: create-ko-yaml
     image: cgr.dev/chainguard/go:latest-dev@sha256:8e2632f8725d1a48d6f97a13c71e1594fe17dc9c0e7d00543091a04ac82e429b
@@ -181,7 +147,6 @@ spec:
       set -ex
 
       # Fix Git ownership issue for the repository directory
-      git config --global --add safe.directory /go/src/repo
       git config --global --add safe.directory ${PROJECT_ROOT}
 
       # Use the generated `.ko.yaml`
@@ -236,6 +201,7 @@ spec:
       # Rewrite "devel" to params.versionTag
       sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.yaml
       sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.notags.yaml
+
   - name: koparse
     image: ghcr.io/tektoncd/plumbing/koparse@sha256:1898ef549aaff602d06c049136aaf1c1eacc573846c42bbf42d8dc9258235204
     script: |

tekton/release-pipeline.yaml

@@ -23,7 +23,7 @@ spec:
       description: The user for the image registry credentials
       default: _json_key
     - name: versionTag
-      description: Version tag (X.Y.Z for stable, vYYYYMMDD-abc1234 for nightly)
+      description: Version tag (vX.Y.Z for stable, vYYYYMMDD-abc1234 for nightly)
     - name: releaseBucket
       description: bucket where the release is stored. The bucket must be project specific.
       default: "gs://tekton-releases-nightly/pipeline"  # Will be overridden based on releaseMode
@@ -94,8 +94,6 @@ spec:
         params:
           - name: url
             value: https://github.com/tektoncd/plumbing
-          - name: org
-            value: tektoncd
           - name: revision
             value: main
           - name: pathInRepo
@@ -115,9 +113,7 @@ spec:
     - name: unit-tests
       runAfter: [precheck]
       when:
-        - input: "$(params.runTests)"
-          operator: in
-          values: ["true"]
+        - cel: "'$(params.runTests)' == 'true'"
       taskRef:
         resolver: bundles
         params:
@@ -142,9 +138,7 @@ spec:
     - name: build
       runAfter: [precheck]
       when:
-        - input: "$(params.runTests)"
-          operator: in
-          values: ["true"]
+        - cel: "'$(params.runTests)' == 'true'"
       taskRef:
         resolver: bundles
         params:
@@ -167,7 +161,16 @@ spec:
     - name: publish-images
       runAfter: [unit-tests, build]
       taskRef:
-        name: publish-release
+        resolver: git
+        params:
+          - name: repo
+            value: pipeline
+          - name: org
+            value: tektoncd
+          - name: revision
+            value: $(params.gitRevision)
+          - name: pathInRepo
+            value: tekton/publish.yaml
       params:
         - name: package
           value: $(params.package)
@@ -279,6 +282,7 @@ spec:
                 value: $(params.versionTag)
             script: |
               BASE_URL=$(echo "${RELEASE_BUCKET}/previous/${VERSION_TAG}")
+              # If the bucket is in the gs:// return the corresponding public https URL
               BASE_URL=$(echo ${BASE_URL} | sed 's,gs://,https://storage.googleapis.com/,g')
               echo "${BASE_URL}/release.yaml" > $(results.release.path)
               echo "${BASE_URL}/release.notag.yaml" > $(results.release-no-tag.path)