tekton-catalog: publish custom docker-build-oci-ta pipeline bundle

.github/workflows/kustomize-build.yml

@@ -20,3 +20,33 @@ jobs:
 
       - name: Build push-to-external-registry pipeline
         run: kustomize build tekton-catalog/pipelines/push-to-external-registry/
+
+      - name: Build docker-build-oci-ta pipeline
+        run: kustomize build tekton-catalog/pipelines/docker-build-oci-ta/
+
+      - name: Verify build-source-image defaults to true
+        run: |
+          BUILT=$(kustomize build tekton-catalog/pipelines/docker-build-oci-ta/)
+          DEFAULT=$(echo "$BUILT" | yq '.spec.params[] | select(.name == "build-source-image") | .default')
+          if [ "$DEFAULT" != "true" ]; then
+            echo "ERROR: build-source-image default is '${DEFAULT}', expected 'true'"
+            echo "The upstream pipeline may have reordered params — check patch.yaml index."
+            exit 1
+          fi
+          echo "OK: build-source-image default is 'true'"
+
+      - name: Verify build-container uses our custom task bundle
+        run: |
+          BUILT=$(kustomize build tekton-catalog/pipelines/docker-build-oci-ta/)
+          RESOLVER=$(echo "$BUILT" | yq '.spec.tasks[] | select(.name == "build-container") | .taskRef.resolver')
+          BUNDLE=$(echo "$BUILT" | yq '.spec.tasks[] | select(.name == "build-container") | .taskRef.params[] | select(.name == "bundle") | .value')
+          if [ "$RESOLVER" != "bundles" ]; then
+            echo "ERROR: build-container taskRef.resolver is '${RESOLVER}', expected 'bundles'"
+            echo "The upstream pipeline may have reordered tasks — check patch.yaml index."
+            exit 1
+          fi
+          if [[ "$BUNDLE" != quay.io/foreman/tekton-catalog/task-buildah-oci-ta* ]]; then
+            echo "ERROR: build-container bundle is '${BUNDLE}', expected quay.io/foreman/tekton-catalog/task-buildah-oci-ta:*"
+            exit 1
+          fi
+          echo "OK: build-container uses ${BUNDLE}"

.github/workflows/publish-pipeline-bundle.yml

@@ -7,6 +7,10 @@ on:
       - develop
     paths:
       - 'tekton-catalog/**'
+  schedule:
+    # Weekly rebuild to pick up upstream docker-build-oci-ta changes
+    # (kustomization.yaml fetches refs/heads/main at build time).
+    - cron: '0 6 * * 1'
   workflow_dispatch:
 
 jobs:
@@ -21,17 +25,29 @@ jobs:
         id: filter
         with:
           filters: |
-            pipeline:
-              - 'tekton-catalog/pipelines/**'
+            pipeline-push-to-external-registry:
+              - 'tekton-catalog/pipelines/push-to-external-registry/**'
+            pipeline-docker-build-oci-ta:
+              - 'tekton-catalog/pipelines/docker-build-oci-ta/**'
             task-buildah-oci-ta:
               - 'tekton-catalog/tasks/buildah-oci-ta/**'
 
       - name: Set up kustomize
-        if: steps.filter.outputs.pipeline == 'true' || steps.filter.outputs.task-buildah-oci-ta == 'true'
+        if: >-
+          steps.filter.outputs.pipeline-push-to-external-registry == 'true' ||
+          steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' ||
+          steps.filter.outputs.task-buildah-oci-ta == 'true' ||
+          github.event_name == 'schedule' ||
+          github.event_name == 'workflow_dispatch'
         uses: imranismail/setup-kustomize@v2
 
       - name: Install tkn CLI
-        if: steps.filter.outputs.pipeline == 'true' || steps.filter.outputs.task-buildah-oci-ta == 'true'
+        if: >-
+          steps.filter.outputs.pipeline-push-to-external-registry == 'true' ||
+          steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' ||
+          steps.filter.outputs.task-buildah-oci-ta == 'true' ||
+          github.event_name == 'schedule' ||
+          github.event_name == 'workflow_dispatch'
         run: |
           TKN_VERSION=0.39.0
           curl -Ls "https://github.com/tektoncd/cli/releases/download/v${TKN_VERSION}/tkn_${TKN_VERSION}_Linux_x86_64.tar.gz" \
@@ -40,15 +56,20 @@ jobs:
           tkn version
 
       - name: Login to Quay.io
-        if: steps.filter.outputs.pipeline == 'true' || steps.filter.outputs.task-buildah-oci-ta == 'true'
+        if: >-
+          steps.filter.outputs.pipeline-push-to-external-registry == 'true' ||
+          steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' ||
+          steps.filter.outputs.task-buildah-oci-ta == 'true' ||
+          github.event_name == 'schedule' ||
+          github.event_name == 'workflow_dispatch'
         uses: redhat-actions/podman-login@v1
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_ROBOT_USERNAME }}
           password: ${{ secrets.QUAY_ROBOT_TOKEN }}
 
       - name: Build and push push-to-external-registry pipeline bundle
-        if: steps.filter.outputs.pipeline == 'true'
+        if: steps.filter.outputs.pipeline-push-to-external-registry == 'true'
         run: |
           REPO=quay.io/foreman/tekton-catalog/pipeline-push-to-external-registry
           BUILT=$(kustomize build tekton-catalog/pipelines/push-to-external-registry/)
@@ -72,3 +93,20 @@ jobs:
           skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:${MINOR_VERSION}"
           skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:latest"
           echo "Published ${REPO}:${FULL_VERSION}, ${REPO}:${MINOR_VERSION} and ${REPO}:latest"
+
+      - name: Build and push docker-build-oci-ta pipeline bundle
+        if: >-
+          steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' ||
+          steps.filter.outputs.task-buildah-oci-ta == 'true' ||
+          github.event_name == 'schedule' ||
+          github.event_name == 'workflow_dispatch'
+        run: |
+          REPO=quay.io/foreman/tekton-catalog/pipeline-docker-build-oci-ta
+          BUILT=$(kustomize build tekton-catalog/pipelines/docker-build-oci-ta/)
+          FULL_VERSION=$(echo "$BUILT" | python3 -c "import sys, yaml; d = yaml.safe_load(sys.stdin); print(d['metadata'].get('labels', {}).get('app.kubernetes.io/version') or d['metadata']['annotations']['tekton.dev/pipelines.minVersion'])")
+          MINOR_VERSION=$(echo "$FULL_VERSION" | cut -d. -f1,2)
+          echo "Publishing ${REPO}:${FULL_VERSION} and ${REPO}:${MINOR_VERSION}"
+          echo "$BUILT" | tkn bundle push "${REPO}:${FULL_VERSION}" -f -
+          skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:${MINOR_VERSION}"
+          skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:latest"
+          echo "Published ${REPO}:${FULL_VERSION}, ${REPO}:${MINOR_VERSION} and ${REPO}:latest"

CLAUDE.md

@@ -224,6 +224,7 @@ uv run pytest hack/branch-release/tests/
 yamllint .
 
 # Validate kustomize renders cleanly
+kustomize build tekton-catalog/pipelines/docker-build-oci-ta/
 kustomize build tekton-catalog/pipelines/push-to-external-registry/
 kustomize build tekton-catalog/tasks/buildah-oci-ta/
 ```
@@ -236,7 +237,36 @@ Bundles are **not** built from this repo's YAML directly — they are assembled
 
 `tekton-catalog/hack/push-bundles.sh` is the local equivalent for manual testing only.
 
-**When a task bundle is updated:** after a new `task-buildah-oci-ta` bundle is published (triggered by a merge to `develop` that changes `tekton-catalog/tasks/buildah-oci-ta/`), open a follow-up PR to every OCI image repo to update the bundle digest in their `.tekton/` files. Use `skopeo inspect docker://quay.io/foreman/tekton-catalog/task-buildah-oci-ta:0.9 | jq -r .Digest` to get the current digest.
+### Bundle inventory
+
+| Bundle | Quay repo | Trigger |
+|---|---|---|
+| `pipeline-docker-build-oci-ta` | `quay.io/foreman/tekton-catalog/pipeline-docker-build-oci-ta` | Changes to `tekton-catalog/pipelines/docker-build-oci-ta/**`, task bundle changes, or weekly schedule |
+| `pipeline-push-to-external-registry` | `quay.io/foreman/tekton-catalog/pipeline-push-to-external-registry` | Changes to `tekton-catalog/pipelines/push-to-external-registry/**` |
+| `task-buildah-oci-ta` | `quay.io/foreman/tekton-catalog/task-buildah-oci-ta` | Changes to `tekton-catalog/tasks/buildah-oci-ta/**` |
+
+**`pipeline-docker-build-oci-ta`** is a patched fork of the upstream Konflux build pipeline. It embeds two overrides relative to upstream:
+- `build-container` task uses our custom `task-buildah-oci-ta` bundle (higher memory/CPU limits).
+- `build-source-image` param defaults to `"true"` (upstream default is `"false"`).
+
+The weekly scheduled rebuild (Monday 06:00 UTC) picks up upstream `docker-build-oci-ta` changes automatically, since the kustomization fetches `refs/heads/main` at build time. The `pipeline-docker-build-oci-ta` bundle is also rebuilt whenever `task-buildah-oci-ta` changes.
+
+**When a task bundle is updated:** the `pipeline-docker-build-oci-ta` bundle is rebuilt automatically in the same CI run. For OCI repos that are not yet using the custom pipeline bundle, also open a follow-up PR to update the bundle digest in their `.tekton/` files. Use `skopeo inspect docker://quay.io/foreman/tekton-catalog/task-buildah-oci-ta:0.9 | jq -r .Digest` to get the current digest.
+
+### Activating the custom pipeline bundle in tenants-config
+
+After `pipeline-docker-build-oci-ta` is published, update every Foreman component annotation in tenants-config to use our bundle instead of the upstream one:
+
+```yaml
+# Before (upstream bundle)
+build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}'
+
+# After (our custom bundle)
+build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"quay.io/foreman/tekton-catalog/pipeline-docker-build-oci-ta:latest"}'
+build.appstudio.openshift.io/request: "configure-pac"
+```
+
+The `configure-pac` annotation triggers Konflux to regenerate the `.tekton` files in the OCI repos with the correct pipeline bundle reference. **Regeneration does not preserve prior `.tekton` customizations** — `ADDITIONAL_TAGS` (see issue #26) must be re-applied after each `configure-pac` reconfiguration.
 
 ## PR/MR rules
 

tekton-catalog/hack/push-bundles.sh

@@ -37,5 +37,6 @@ print(version)")
   echo "==> Published ${repo}:${full_version}, ${repo}:${minor_version} and ${repo}:latest"
 }
 
+push_bundle pipeline-docker-build-oci-ta tekton-catalog/pipelines/docker-build-oci-ta
 push_bundle pipeline-push-to-external-registry tekton-catalog/pipelines/push-to-external-registry
 push_bundle task-buildah-oci-ta tekton-catalog/tasks/buildah-oci-ta

tekton-catalog/pipelines/docker-build-oci-ta/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - "https://raw.githubusercontent.com/konflux-ci/build-definitions/refs/heads/main/pipelines/docker-build-oci-ta/docker-build-oci-ta.yaml"
+patches:
+  - path: patch.yaml
+    target:
+      kind: Pipeline

tekton-catalog/pipelines/docker-build-oci-ta/patch.yaml

@@ -0,0 +1,31 @@
+---
+# JSON 6902 patch for the docker-build-oci-ta pipeline.
+#
+# Upstream pipeline params (0-based indices used below):
+#   9: build-source-image   ← default "false" → override to "true"
+#
+# Upstream pipeline tasks (0-based indices used below):
+#   3: build-container      ← uses upstream buildah-oci-ta; redirect to our custom bundle
+#
+# Task indices verified with:
+#   curl -Ls "$UPSTREAM_URL" | yq ".spec.tasks.[].name" | nl -v0
+
+# Override build-source-image default to "true" — the generated .tekton files
+# default this to "false"; source images are required for production Quay pushes.
+- op: replace
+  path: /spec/params/9/default
+  value: "true"
+
+# Redirect build-container to our custom buildah-oci-ta bundle, which raises
+# memory/CPU limits to handle large Foreman images (build: 16Gi, sbom: 8Gi).
+- op: replace
+  path: /spec/tasks/3/taskRef
+  value:
+    resolver: bundles
+    params:
+      - name: bundle
+        value: quay.io/foreman/tekton-catalog/task-buildah-oci-ta:0.9
+      - name: name
+        value: buildah-oci-ta
+      - name: kind
+        value: task

tekton-catalog/pipelines/kustomization.yaml

@@ -2,4 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - docker-build-oci-ta/
   - push-to-external-registry/