fix(ci): wire hp-fleet-gitops auth for Konflux deploy-tag

[aredenba-rh]

Summary

PAC git_auth_secret only covers openshift-hyperfleet/kartograph. The update-deploy-tag finally task clones private openshift-online/hp-fleet-gitops, which caused Repository not found.

This PR wires a dedicated secret for that repo and reverts the soft-fail workaround.

Also fixes agent-runtime configmap-patch.yaml sed double-quote bug.

Setup (required before merge)

1. Create a GitHub PAT (classic or fine-grained) with Contents: Read/Write and Pull requests: Write on openshift-online/hp-fleet-gitops.

2. In Konflux tenant namespace, apply the secret (replace PAT placeholders):

oc project kartograph-tenant
cp .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml /tmp/kartograph-hp-fleet-gitops-auth.secret.yaml
# edit /tmp/...yaml — replace REPLACE_WITH_GITHUB_PAT (both places)
oc apply -f /tmp/kartograph-hp-fleet-gitops-auth.secret.yaml
rm /tmp/kartograph-hp-fleet-gitops-auth.secret.yaml

3. Merge this PR, then rerun Konflux on-push for all four components.

Successful runs should open deploy-tag PRs in hp-fleet-gitops automatically.

Test plan

• Secret kartograph-hp-fleet-gitops-auth exists in kartograph-tenant
• Konflux on-push green for api, dev-ui, agent-runtime, openshell-gateway
• Deploy-tag PRs appear in hp-fleet-gitops

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes

  • Improved fault-tolerance in deployment automation. Git operations in pipeline deployment tasks now handle failures gracefully with warning messages and clear manual instructions instead of causing pipeline failures, enhancing overall system resilience.

• Chores

  • Updated pipeline automation configurations for better error handling and logging across multiple deployment stages.

Walkthrough

Four Tekton PipelineRun YAML files (kartograph-agent-runtime, kartograph-api, kartograph-dev-ui, kartograph-openshell-gateway) modify the embedded shell script in the update-deploy-tag finally task. The git clone of hp-fleet-gitops and the subsequent git push of the deploy-tag branch are each wrapped in conditional failure checks. On failure, each guard logs WARNING messages and exits 0, skipping deploy-tag automation rather than failing the pipeline. Additionally, kartograph-agent-runtime-push.yaml changes the sed quoting pattern used to substitute ${COMMIT_SHA} into the KARTOGRAPH_EXTRACTION_RUNTIME_STICKY_IMAGE value in configmap-patch.yaml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

CWE-78 (OS Command Injection) surface — CI/CD supply chain note:

The sed pattern change in range_4ada5855d6ff warrants direct inspection. Substituting ${COMMIT_SHA} via sed inside an inline YAML script expands a pipeline-controlled variable into a shell command. Verify that COMMIT_SHA is sourced from a trusted Tekton param/result and is not injectable (e.g., a git ref that contains shell metacharacters). The quoting change must correctly shell-escape the replacement string; a misquoted sed expression with an attacker-controlled ref satisfies CWE-78.

The exit 0 on both clone and push failure (all four files) silently suppresses git authentication errors. This is acceptable for availability but masks token expiry or repository permission regressions — ensure pipeline observability (logs/alerts) compensates.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately summarizes the main change: making Konflux push pipelines non-fatal when gitops clone fails.
Description check	✅ Passed	Description clearly details the root cause (404 on private repo access), the fix (non-fatal clone/push), and includes test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only Tekton YAML pipelines with shell scripts; no Go logging code present. Log statements log only branch names, status messages, and parsed PR URLs—not credentials, tokens, or secrets.
No Hardcoded Secrets	✅ Passed	PR introduces no hardcoded secrets. SHA256 digests are container image pins. All credentials use template variables {{ git_auth_secret }}. Credentials read from Tekton workspace, not hardcoded. G...
No Weak Cryptography	✅ Passed	PR contains no banned cryptographic primitives (md5, des, rc4, SHA1 for security, ECB). COMMIT_SHA is git commit hash for image tagging, explicitly excluded from check as non-security usage. No cus...
No Injection Vectors	✅ Passed	No injection vectors detected. All variables in sed/git commands are hardcoded or validated to hex-only (CWE-78 safe). COMMIT_SHA validated against [0-9a-fA-F]+; IMAGE_SELECTOR/DEPLOY_COMPONENT har...
No Privileged Containers	✅ Passed	No privileged container configurations (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation: true, or runAsUser: 0) found in modified Tekton pipeline YAML files; al...
No Pii Or Sensitive Data In Logs	✅ Passed	PR logging statements only expose public information (branch names, commit SHAs, PR URLs). No PII, credentials, session IDs, or sensitive internal data are logged. PR_NODE_ID is extracted but not l...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/konflux-deploy-tag-gitops-access

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/konflux-deploy-tag-gitops-access

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/kartograph-agent-runtime-push.yaml:
- Around line 710-714: The git push command in the branch push failure handler
exits with code 0 when the push fails, which masks the failure and allows the
pipeline to succeed incorrectly. Change the exit 0 statement to exit 1 in the
conditional block following the git push origin "$BRANCH" command so that push
failures properly fail the pipeline and trigger alerting, instead of silently
continuing with a success status.
- Around line 675-680: The git clone command for the hp-fleet-gitops repository
is currently exiting with status code 0 when it fails, which silently masks
credential, access, or network failures and allows the pipeline to succeed
despite the critical deploy-tag automation being skipped. Change the exit 0
statement in the clone failure handler (in the condition checking the git clone
result) to exit with a non-zero status code like exit 1 to properly signal
pipeline failure when git clone fails, ensuring that credential revocation, repo
access changes, or infrastructure issues are not silently masked.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7c0b75e4-15d9-4c4e-968a-8168d6a8fc91

📥 Commits

Reviewing files that changed from the base of the PR and between 4c96c39 and 6d7c9df.

📒 Files selected for processing (4)

• .tekton/kartograph-agent-runtime-push.yaml
• .tekton/kartograph-api-push.yaml
• .tekton/kartograph-dev-ui-push.yaml
• .tekton/kartograph-openshell-gateway-push.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}