fix: release pipeline feedback

Author: anithapriyanatarajan

tekton/README.md

@@ -146,56 +146,7 @@ Command to create a kubeconfig in your local could be obtained from console navi
 
 1. [Setup a context to connect to the dogfooding cluster](./release-cheat-sheet.md#setup-dogfooding-context) 
 
-1. When executing release pipelines, some tasks require `oci cli` commands. The CLI requires credentials which should be created as a Kubernetes secret and mounted to the respective task's workspace. For example refer the precheck definition.
-```
-    - name: precheck
-      runAfter: [git-clone]
-      taskRef:
-        resolver: git
-        params:
-          - name: url
-            value: https://github.com/tektoncd/plumbing
-          - name: revision
-            value: 8d3152d3d39982ce1768325b373d321efaa83031
-          - name: pathInRepo
-            value: tekton/resources/release/base/prerelease_checks_oci.yaml
-      params:
-        - name: package
-          value: $(params.package)
-        - name: versionTag
-          value: $(params.versionTag)
-        - name: releaseBucket
-          value: $(params.releaseBucket)/$(params.repoName)
-      workspaces:
-        - name: source-to-release
-          workspace: workarea
-          subPath: git
-        - name: oci-credentials
-          workspace: release-secret
-```
-Sample secret template for reference:
-```
-apiVersion: v1
-kind: Secret
-metadata:
-  name: oci-credentials
-type: Opaque
-stringData:
-  # REQUIRED: OCI API Private Key (PEM format)
-  oci_api_key.pem: |
-    -----BEGIN RSA PRIVATE KEY-----
-    YOUR_ACTUAL_PRIVATE_KEY_CONTENT_HERE
-    -----END RSA PRIVATE KEY-----
-
-  # REQUIRED: API Key Fingerprint
-  fingerprint: "YOUR_API_KEY_FINGERPRINT_HERE"
-
-  # OPTIONAL: These can be provided as task parameters instead
-  tenancy_ocid: "ocid1.tenancy.oc1..example_tenancy_id"
-  user_ocid: "ocid1.user.oc1..example_user_id"
-  region: "us-ashburn-1"
-  namespace: "your-namespace-here"  # Will be auto-detected if not provided
-```
+1. NOTE: When executing release pipelines, some tasks require OCI CLI commands which need credentials. The OCI credentials secret is already deployed to the dogfooding cluster via terraform and is mounted as a workspace to tasks that require it (such as the precheck task). Release managers do not need to create this secret manually. This is stated here for troubleshooting purposes.
 
 ### Setup post processing
 

tekton/release-cheat-sheet.md

@@ -72,14 +72,15 @@ the pipelines repo, a terminal window and a text editor.
 1. Create a workspace template file:
 
    ```bash
-   cat <<EOF > workspace-template.yaml
-   spec:
-     accessModes:
-     - ReadWriteOnce
-     resources:
-       requests:
-         storage: 1Gi
-   EOF
+   WORKSPACE_TEMPLATE=$(mktemp /tmp/workspace-template.XXXXXX.yaml)
+   cat <<'EOF' > $WORKSPACE_TEMPLATE
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+EOF
    ```
 
 1. Execute the release pipeline (takes ~45 mins).
@@ -101,9 +102,9 @@ the pipelines repo, a terminal window and a text editor.
       --param versionTag="${TEKTON_VERSION}" \
       --param releaseBucket=tekton-releases \
       --param koExtraArgs="" \
-      --workspace name=release-secret,secret=release-secret \
+      --workspace name=release-secret,secret=oci-release-secret \
       --workspace name=release-images-secret,secret=ghcr-creds \
-      --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
+      --workspace name=workarea,volumeClaimTemplateFile="${WORKSPACE_TEMPLATE}" \
       --tasks-timeout 2h \
       --pipeline-timeout 3h
    ```
@@ -136,7 +137,7 @@ the pipelines repo, a terminal window and a text editor.
     1. Find the Rekor UUID for the release
 
     ```bash
-    RELEASE_FILE=https://infra.tekton.dev/tekton-releases/triggers/previous/${VERSION_TAG}/release.yaml
+    RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/${TEKTON_VERSION}/release.yaml
     CONTROLLER_IMAGE_SHA=$(curl -L $RELEASE_FILE | sed -n 's/"//g;s/.*ghcr\.io.*controller.*@//p;')
     REKOR_UUID=$(rekor-cli search --sha $CONTROLLER_IMAGE_SHA | grep -v Found | head -1)
     echo -e "CONTROLLER_IMAGE_SHA: ${CONTROLLER_IMAGE_SHA}\nREKOR_UUID: ${REKOR_UUID}"
@@ -147,19 +148,20 @@ the pipelines repo, a terminal window and a text editor.
         Create a pod template file:
 
         ```shell
-        cat <<EOF > tekton/pod-template.yaml
-        securityContext:
-          fsGroup: 65532
-          runAsUser: 65532
-          runAsNonRoot: true
-        EOF
+        POD_TEMPLATE=$(mktemp /tmp/pod-template.XXXXXX.yaml)
+        cat <<'EOF' > $POD_TEMPLATE
+securityContext:
+  fsGroup: 65532
+  runAsUser: 65532
+  runAsNonRoot: true
+EOF
         ```
-        ```shell
 
+        ```shell
         tkn pipeline start \
-          --workspace name=shared,volumeClaimTemplateFile=workspace-template.yaml \
+          --workspace name=shared,volumeClaimTemplateFile="${WORKSPACE_TEMPLATE}" \
           --workspace name=credentials,secret=oci-release-secret \
-          --pod-template pod-template.yaml \
+          --pod-template "${POD_TEMPLATE}" \
           -p package="${TEKTON_PACKAGE}" \
           -p git-revision="$TEKTON_RELEASE_GIT_SHA" \
           -p release-tag="${TEKTON_VERSION}" \
@@ -220,7 +222,7 @@ the pipelines repo, a terminal window and a text editor.
 Optional: Add a photo of this release's "purr programmer" (someone's cat).
 
 1. Update [the catalog repo](https://github.com/tektoncd/catalog) test infrastructure
-to use the new release by updating the `RELEASE_YAML` link in [e2e-tests.sh](https://github.com/tektoncd/catalog/blob/main/test/e2e-tests.sh).
+to use the new release by updating the test matrix in the `[ci.yaml](https://github.com/tektoncd/catalog/blob/main/.github/workflows/ci.yaml)`.
 
 1. Update [the plumbing repo](https://github.com/tektoncd/plumbing/blob/d244554a42d7b6a5f1180c58c513eeecc9febcde/tekton/cd/pipeline/overlays/oci-ci-cd/kustomization.yaml#L4) to deploy the latest version to the dogfooging cluster on OCI.