Adding Trigger Konflux build

[tommyd450]

Summary by Sourcery

CI:

• Introduce a trigger-konflux-build workflow with workflow_dispatch event calling the securesign/actions reusable Konflux build workflow

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds a new GitHub Actions workflow that allows manual triggering of the Konflux build by invoking a reusable workflow.

Flow diagram for manual Konflux build trigger

flowchart TD
  Start([Manual trigger via workflow_dispatch]) --> Trigger["Trigger Konflux build workflow"]
  Trigger --> Reusable["Invoke reusable workflow (securesign/actions/trigger-konflux-build)"]
  Reusable --> End([Konflux build started])

Loading

File-Level Changes

Change	Details	Files
Introduce a manual trigger workflow for Konflux builds	Add .github/workflows/trigger-konflux-build.yaml Define workflow name and workflow_dispatch trigger Set up job to reuse securesign/actions Konflux build workflow on main branch Pass GITHUB_TOKEN as secret input	.github/workflows/trigger-konflux-build.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned workflow reference Description: The workflow calls an external reusable workflow from the main branch, which can change unexpectedly and potentially introduce supply-chain risks; pin to a specific commit SHA or a tagged release instead of @main. trigger-konflux-build.yaml [7-11] Referred Code uses: securesign/actions/.github/workflows/trigger-konflux-build.yaml@main with: branch: main secrets: token: ${{ secrets.GITHUB_TOKEN }}
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: The workflow triggers an external reusable workflow without any explicit logging or audit annotations of who triggered it or the action context, which may impede comprehensive audit trails. Referred Code on: workflow_dispatch: jobs: trigger-konflux-build: uses: securesign/actions/.github/workflows/trigger-konflux-build.yaml@main with: branch: main secrets: token: ${{ secrets.GITHUB_TOKEN }}
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No failure handling: The workflow delegates to a reusable workflow without local steps for handling failures, retries, or timeouts, leaving robustness dependent on the external workflow. Referred Code trigger-konflux-build: uses: securesign/actions/.github/workflows/trigger-konflux-build.yaml@main with: branch: main secrets: token: ${{ secrets.GITHUB_TOKEN }}
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: External workflow trust: The job uses an external reusable workflow and passes GITHUB_TOKEN without explicit permission scoping or validation, requiring verification that the called workflow handles inputs and secrets securely. Referred Code uses: securesign/actions/.github/workflows/trigger-konflux-build.yaml@main with: branch: main secrets: token: ${{ secrets.GITHUB_TOKEN }}
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

To fix this problem, we should add a permissions key at the job level (within the trigger-konflux-build job) or at the workflow root. Since this workflow simply triggers a reusable workflow, the safest starting point is to restrict permissions to read-only, unless there are explicit reasons for broader access. The minimal appropriate block is usually contents: read, which provides read access to the repository code, or an even more restrictive block if possible (e.g., none). The explicit block prevents the GITHUB_TOKEN from being granted unnecessary privileges for this triggering job. The change is to insert the permissions: key immediately above or within the job definition.

---

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Pin reusable workflow to a commit Pin the reusable workflow to a specific commit SHA instead of the @main branch to improve security. .github/workflows/trigger-konflux-build.yaml [7] -uses: securesign/actions/.github/workflows/trigger-konflux-build.yaml@main +uses: securesign/actions/.github/workflows/trigger-konflux-build.yaml@<full_commit_sha> # Replace with a specific commit SHA from the 'securesign/actions' repository Apply / Chat Suggestion importance[1-10]: 9 __ Why: This is a critical security best practice for GitHub Actions to prevent supply chain attacks by ensuring the reusable workflow code is from a specific, vetted commit.	High
	Explicitly define job permissions Add a permissions block to the job to explicitly define the minimum required permissions for the GITHUB_TOKEN. .github/workflows/trigger-konflux-build.yaml [5-11] jobs: trigger-konflux-build: + permissions: {} # Add required permissions here, e.g., contents: read uses: securesign/actions/.github/workflows/trigger-konflux-build.yaml@main with: branch: main secrets: token: ${{ secrets.GITHUB_TOKEN }} Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a security risk and recommends applying the principle of least privilege by explicitly setting permissions for the GITHUB_TOKEN, which is a crucial security measure.	High
Update