feat: Implement DAST pipeline

[bouskaJ]

This PR contains:

• major refactoring of our testing pipelines
• introduces a new pipeline for DAST testing
• bump of the OCP version

Summary by Sourcery

Implement a DAST pipeline and modernize the integration test pipelines by adopting workspaces, consolidating tasks, exporting service endpoints, and updating defaults.

New Features:

• Introduce a new Tekton PipelineRun and rapidast-check Task for dynamic application security testing (DAST) of Fulcio and Rekor services

Enhancements:

• Refactor existing integration-test-pipelines to use Tekton workspaces for source-code, remove deprecated parameters, and relocate the rhtas-operator-e2e pipeline under integration-test-pipelines

Chores:

• Enhance the install-tas step to export fulcio, tuf, rekor, and tsa URLs and bump the default OpenShift version to 4.19
• Remove unused stepactions and obsolete root-level pipeline YAML

[sourcery-ai]

Reviewer's Guide

This PR refactors existing pipeline tasks to leverage Tekton workspaces for resource handling, enhances step actions to emit service endpoints, consolidates and upgrades the end-to-end pipeline with a default OCP version bump, and introduces a new DAST pipeline with a dedicated RapiDAST task for API scanning.

Class diagram for refactored pipeline tasks and step actions

classDiagram
  class InstallOperatorFromImageTask {
    +namespace: string
    +resources_path: string
    +workspaces: source-code
    +steps: get-kubeconfig, kustomize-resources, run-operator
  }
  class InstallOperatorFromFbcTask {
    +fbcImage: string
    +namespace: string (default: openshift-operators)
    +operator-name: string
    +steps: get-kubeconfig, install-operator, wait-for-deployment
  }
  class InstallOperatorFromBundleTask {
    +bundleImage: string
    +namespace: string (default: default)
    +timeout: string
  }
  class InstallKeycloakStepAction {
    +credentials: string
    +workdir: string
    +steps: install-keycloak
  }
  class InstallTasStepAction {
    +credentials: string
    +workdir: string
    +results: fulcio-url, tuf-url, rekor-url, tsa-url
    +steps: install-tas
  }
  class RapidastTask {
    +API scanning logic
  }
  InstallOperatorFromImageTask <|-- InstallOperatorFromFbcTask
  InstallOperatorFromImageTask <|-- InstallOperatorFromBundleTask
  InstallKeycloakStepAction <|-- InstallTasStepAction
  class ProcessGoTestResultsStepAction {
    +process test results
  }
  class OperatorDastPipeline {
    +uses: RapidastTask
  }
  class RhtasOperatorE2ePipeline {
    +uses: InstallOperatorFromImageTask, InstallKeycloakStepAction, InstallTasStepAction, ProcessGoTestResultsStepAction
  }
  OperatorDastPipeline --> RapidastTask
  RhtasOperatorE2ePipeline --> InstallOperatorFromImageTask
  RhtasOperatorE2ePipeline --> InstallKeycloakStepAction
  RhtasOperatorE2ePipeline --> InstallTasStepAction
  RhtasOperatorE2ePipeline --> ProcessGoTestResultsStepAction

Loading

Flow diagram for new DAST pipeline with RapiDAST task

flowchart TD
  A["Start DAST Pipeline"] --> B["Run RapiDAST Task"]
  B --> C["API Scan Results"]
  C --> D["Process Results"]
  D --> E["End Pipeline"]

Loading

File-Level Changes

Change	Details	Files
Refactor installation tasks to use Tekton workspaces and remove redundant volumes/params	Replace emptyDir volumes for resources with a shared source-code workspace Remove redundant params (resources_url, deployName) and hardcoded paths Adjust kustomize and oc commands to use $(workspaces.source-code.path)	tasks/install-operator-from-image.yaml tasks/install-operator-from-fbc.yaml tasks/install-operator-from-bundle.yaml
Enhance test setup actions to capture service endpoints as results	Remove obsolete repository mounts and use param-defined workdir Add results for fulcio-url, tuf-url, rekor-url and tsa-url in install-tas Update install-keycloak to use workdir param correctly	stepactions/install-tas.yaml stepactions/install-keycloak.yaml
Refactor end-to-end pipeline, clean up legacy steps and bump OCP version	Delete old rhtas-operator-e2e.yaml and legacy extract/git-clone/secure-push stepactions Add new integration-test-pipelines/pipelines/rhtas-operator-e2e.yaml with unified workspace usage Bump default OCP_VERSION parameter to "4.19"	integration-test-pipelines/pipelines/rhtas-operator-e2e.yaml stepactions/extract-cosign.yaml stepactions/extract-oc.yaml stepactions/extract-tuftool.yaml stepactions/git-clone.yaml stepactions/secure-push-oci.yaml
Implement new DAST testing pipeline and associated rapidast task	Add operator-dast PipelineRun for API security scanning of Fulcio and Rekor Create rapidast.yaml Task to run RapiDAST and process scan results	integration-test-pipelines/pipelines/operator-dast.yaml integration-test-pipelines/tasks/rapidast.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The operator-e2e and operator-dast PipelineRuns share many similar steps—abstract common sequences or parameter sets into reusable Pipelines or Tasks to avoid duplication and simplify maintenance.
• Multiple tasks and pipelines embed hardcoded namespace and OCP version defaults; consider centralizing those defaults as shared parameters or environment variables to streamline version upgrades.
• The new YAML additions are very large; splitting pipeline definitions and tasks into smaller, self-contained files could help maintain readability and ease future changes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The operator-e2e and operator-dast PipelineRuns share many similar steps—abstract common sequences or parameter sets into reusable Pipelines or Tasks to avoid duplication and simplify maintenance.
- Multiple tasks and pipelines embed hardcoded namespace and OCP version defaults; consider centralizing those defaults as shared parameters or environment variables to streamline version upgrades.
- The new YAML additions are very large; splitting pipeline definitions and tasks into smaller, self-contained files could help maintain readability and ease future changes.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[bouskaJ]

Successful test runs:

• https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com/ns/rhtas-tenant/applications/fbc-v4-19/pipelineruns/operator-e2e-2hdh5?integrationTestName=fbc-e2e-4-19
• https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com/ns/rhtas-tenant/applications/fbc-v4-19/pipelineruns/operator-dast-p2d6r?integrationTestName=dast-test

[JasonPowr]

Changes do look good the refactor on the RHTAS E2E is cleaner than the original, nice job, my only issue with this is the deletion of the stepActions. The policy controller operator E2E test still uses these, can you add them back for now and I can refactor the PCO E2E at some point then I will remove them :)

[JasonPowr]

Can you add a new line here?

[osmman]

You will need to modify rhtas-operator template to add/modify a integration tests
https://github.com/securesign/pipelines/blob/main/konflux-configs/base/project/overlay/rhtas-operator/patch/e2e.yaml

[github-actions]

Configuration Diff

2 document(s) impacted:

+ 0 added
- 0 removed
! 2 modified

Diff

@@ spec.resources.appstudio.redhat.com/v1beta2/IntegrationTestScenario/rhtas-operator-e2e-test{{.nameSuffix}}.spec.resolverRef.params.pathInRepo.value @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/operator-template
! ± value change
- pipelines/rhtas-operator-e2e.yaml
+ pipelines/integration-test/rhtas-operator-e2e.yaml

@@ spec.resources.appstudio.redhat.com/v1beta2/IntegrationTestScenario/rhtas-operator-e2e-test{{.nameSuffix}}.spec.resolverRef.resourceKind @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/operator-template
! ± value change
- pipeline
+ pipelinerun

---

_{📦 Artifacts: base-output.yaml, head-output.yaml, dyff-output.txt}

[bouskaJ]

@JasonPowr sorry, I did not noticed that there is one more test pipeline. I did the refactoring too. Please review.

[JasonPowr]

@bouskaJ Refactor looks great , thank you for taking on the extra work and refactoring the PCO E2E as well, I appreciate it :).

It might be better to wait to merge this so we know for definite that CAC is all good

[bouskaJ]

I executed all pipelines that could be related and all passed, but there is a number of variants. Ping me if something fails.