zhongwei/gh-konflux-ci-skills-skills-working-with-provenance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:35:26 +08:00
commit 3202054ccf
27 changed files with 628 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,11 @@
{
"name": "working-with-provenance",
"description": "Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code",
"version": "1.0.0",
"author": {
"name": "Konflux CI Team"
},
"skills": [
"./"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# working-with-provenance
Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code

115
SKILL.md Normal file
View File

@@ -0,0 +1,115 @@
---
name: working-with-provenance
description: Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code
allowed-tools: Bash(cosign download:*), Bash(cosign verify:*), Bash(jq:*), Bash(~/.claude/skills/working-with-provenance/scripts/*:*)
---
# Working with Provenance
## Overview
Every Konflux build produces SLSA provenance attestations containing the complete build history: source repository, commit SHA, pipeline run URL, and build parameters. Use `cosign download attestation` with `jq` to extract this information and trace artifacts back to their origins.
## When to Use
Use this skill when you need to:
- Find build logs for an image (missing SBOM, failed tasks, debugging)
- Trace an image back to its source commit (what changed, code review)
- Verify which repository and commit produced an artifact (security, compliance)
- Extract build parameters or pipeline information (reproduce builds, debug configuration)
Do NOT use for non-Konflux images (Docker Hub, upstream images without attestations).
## Quick Reference
| Need | Command Pattern | Helper Script |
|------|----------------|---------------|
| Build log URL | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"'` | `~/.claude/skills/working-with-provenance/scripts/build-log-link.sh $IMAGE` |
| Commit link | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations \| ."pipelinesascode.tekton.dev/repo-url" + "/commit/" + ."pipelinesascode.tekton.dev/sha"'` | `~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh $IMAGE` |
| Git repository | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/repo-url"'` | `~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh $IMAGE` |
| Origin pullspec | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .subject[0].name + ":" + .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/sha"'` | `~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh $IMAGE` |
## Helper Scripts
This skill includes ready-to-use bash scripts that you can invoke directly:
```bash
# Extract build log URL
~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag
# Extract commit URL (handles GitHub and GitLab)
~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag
# Extract git repository URL
~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag
# Extract original pullspec with commit SHA
~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh quay.io/org/image:tag
```
## Common Workflow
**Investigating missing SBOM:**
```bash
# 1. Get build log URL from provenance
LOG_URL=$(~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag)
# 2. Open logs in browser or use debugging-pipeline-failures skill
echo $LOG_URL
```
**Tracing code changes:**
```bash
# 1. Get commit link from provenance
COMMIT=$(~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag)
# 2. View the commit
echo $COMMIT # Opens in browser
# 3. Check recent history
git clone $(~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag)
```
## Attestation Structure
Konflux provenance lives at:
```
.payload (base64-encoded)
└─ .predicate
├─ .buildConfig.tasks[0].invocation.environment.annotations
│ ├─ pipelinesascode.tekton.dev/log-url (pipeline logs)
│ ├─ pipelinesascode.tekton.dev/repo-url (git repository)
│ └─ pipelinesascode.tekton.dev/sha (commit SHA)
└─ .subject[0].name (image name)
```
## Common Mistakes
| Mistake | Fix |
|---------|-----|
| Trying to parse image tags for commit info | Tags can be arbitrary. Use provenance for definitive source. |
| Manual UI navigation to find logs | Use `build-log-link.sh` - faster and scriptable. |
| Assuming images without Konflux builds have provenance | Only Konflux-built images have SLSA attestations via Tekton Chains. |
| Forgetting to base64 decode payload | Always use `.payload \| @base64d \| fromjson` pattern. |
## Real-World Example
```bash
# User reports: "Build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553... missing SBOM"
# 1. Extract build log URL
$ ~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
# 2. Extract source commit
$ ~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
🐙 https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
# Now: Open logs to debug SBOM task, review commit for context
```
## Keywords
SLSA provenance, attestation, cosign, Tekton Chains, build logs, commit SHA, source tracing, artifact metadata, supply chain security, SBOM debugging, pipeline logs, container image verification

137
plugin.lock.json Normal file
View File

@@ -0,0 +1,137 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:konflux-ci/skills:skills/working-with-provenance",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "7b6adb0a74a1ccfded89649ab301ee6121409ca3",
"treeHash": "44bc67aaaac2313811387700d059c6e76dc0d8bbd7ef8f2d69eea169217d3456",
"generatedAt": "2025-11-28T10:19:55.018276Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "working-with-provenance",
"description": "Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code",
"version": "1.0.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "ec2fe631ce0b60d42d40a4955709f3936d10e6b8ded3518736401a63bc7c83f4"
},
{
"path": "SKILL.md",
"sha256": "08686d390304798b3f4db10ddf8f86b29c9ead91d63b9de24f1b596c787035ed"
},
{
"path": "tests/scenarios.yaml",
"sha256": "8f0342a967f93ed609c16c69f0c29cf1f6da6c3504a5cf68a98028edd3e71797"
},
{
"path": "tests/results/trace-missing-sbom-to-logs.1.txt",
"sha256": "142787a762f511535798ddd1be1f395399df752071f01e96eb896630dfa3d137"
},
{
"path": "tests/results/trace-missing-sbom-to-logs.2.txt",
"sha256": "528b78dfb1f5239ad6cb8aa2fb302c96ca8637cf52a7d13fa8eb81735a755784"
},
{
"path": "tests/results/trace-missing-sbom-to-logs.3.txt",
"sha256": "ccee57ea972f0c1ff4b6c7c6909cf646d15a7c7eaa5afa80162fa5d0b1798d57"
},
{
"path": "tests/results/extract-pipeline-logs.1.txt",
"sha256": "58832233992ec268b6c674e9f741468207f585eb21723477c51a5303e800e433"
},
{
"path": "tests/results/extract-pipeline-logs.3.txt",
"sha256": "8eff675f29b44e21a54fc7eebfb1ca4f25d13a4202a62bc1c2c0d40fc3158854"
},
{
"path": "tests/results/extract-pipeline-logs.2.txt",
"sha256": "c164810cf4274ebb3805b7011e3364ac350edf2282b1ca6b9721da6331eb0dd4"
},
{
"path": "tests/results/extract-git-repo.1.txt",
"sha256": "0eab8d54abe1b8761885682d94fffb7f03673a5ec875b20becdab073cfe02c9f"
},
{
"path": "tests/results/negative-non-konflux-image.3.txt",
"sha256": "01974155a62528ccaba0bd4ebff20b68d5713a194f905ae2d0c24d32ef214144"
},
{
"path": "tests/results/negative-non-konflux-image.2.txt",
"sha256": "644bd6b86f246ffbae1144237358ef1b84776f40a52a68e3ccf67041133225b2"
},
{
"path": "tests/results/extract-git-repo.2.txt",
"sha256": "7e8969190bd59402af35250efbbeb12b679dd38fc0b643885c87c1913df62f94"
},
{
"path": "tests/results/negative-non-konflux-image.1.txt",
"sha256": "26538f67a4ced8d18739b0e92ddf1c7b2b9311ceb816e4b87e6c17d224d22266"
},
{
"path": "tests/results/extract-git-repo.3.txt",
"sha256": "a67eaf153e1b76dacbc9de66310aa6fcbb413588a30359071397f0d9c83cc283"
},
{
"path": "tests/results/verify-image-source.1.txt",
"sha256": "bfea63a15dcbc52d692f97739384f65f0303aef511ef6f8ecca71ca174c28d80"
},
{
"path": "tests/results/trace-build-to-commit.3.txt",
"sha256": "f8457374306739356d40ebb4a0bcc3a72758bb25cc8adbb24968b50ee359780b"
},
{
"path": "tests/results/trace-build-to-commit.2.txt",
"sha256": "f530c8410a664b3c959ee1641e3def238e46d4d6f515c2a6b2148be657987769"
},
{
"path": "tests/results/verify-image-source.2.txt",
"sha256": "160cdb5d9a801e381045f3c3e4b69a316bc2fc365f9f47be020e7a4ee7c96ee8"
},
{
"path": "tests/results/trace-build-to-commit.1.txt",
"sha256": "b19902978da6621e6f62611668d8dd4f4a4bec39a52d0ac67b5df74d739d6fd7"
},
{
"path": "tests/results/verify-image-source.3.txt",
"sha256": "219fdff036dc171ddaf2e8866a6bbf22f80e5154e14232ef4412cf54e3680f02"
},
{
"path": "scripts/build-origin-pullspec.sh",
"sha256": "0d00453709e69340d3a876039d81fd1ed5abe9b83e0da6e83c0f00d99c0e7840"
},
{
"path": "scripts/build-commit-link.sh",
"sha256": "eeedc272c58a68eaf1dbe87b35f28c7566120514ecfe81a9d2b4b3950781cc18"
},
{
"path": "scripts/build-log-link.sh",
"sha256": "d1e525b66dba43d82bd1a880e4213d60094f2b522deff80b319d4aff4579297e"
},
{
"path": "scripts/build-git-repo.sh",
"sha256": "b45af5dbcae075ffc9e2295a4dcaf0afc1ebc1c2f3cad6daae22a17d9b549f3b"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "0c6b5514780d07b79c8f385621181d4019b28a679d756e73e71207fbec4379f8"
}
],
"dirSha256": "44bc67aaaac2313811387700d059c6e76dc0d8bbd7ef8f2d69eea169217d3456"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}

12
scripts/build-commit-link.sh Executable file
View File

@@ -0,0 +1,12 @@
#!/bin/bash -u
IMAGE=${1}
expression='.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations | ."pipelinesascode.tekton.dev/repo-url" + "/-/commit/" + ."pipelinesascode.tekton.dev/sha"'
output=$(cosign download attestation $IMAGE | jq -r "$expression")
if [[ "$output" == *github.com/* ]] ; then
echo "🐙 $output" | sed 's|/-/|/|'
else
echo "🦊 $output"
fi

6
scripts/build-git-repo.sh Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/bash -u
IMAGE=${1}
expression='.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/repo-url"'
cosign download attestation $IMAGE | jq -r "$expression"

7
scripts/build-log-link.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/bash -u
IMAGE=${1}
cosign download attestation $IMAGE \
| jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"' \
| sed 's|console.redhat.com/application-pipeline|konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com|'

8
scripts/build-origin-pullspec.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/bash -u
IMAGE=${1}
expression='.payload | @base64d | fromjson | .subject[0].name + ":" + .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/sha"'
output=$(cosign download attestation $IMAGE | jq -r "$expression")
echo $output

9
tests/results/extract-git-repo.1.txt Normal file
View File

@@ -0,0 +1,9 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Great! From the provenance attestation, I can extract the key information:
Repository URL: https://github.com/ralphbean/llm-compressor-hermetic-demo
Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
The image was built from the repository `ralphbean/llm-compressor-hermetic-demo` at the specific commit `7f9a553`.
Would you like me to provide more details about the repository or the specific commit?

9
tests/results/extract-git-repo.2.txt Normal file
View File

@@ -0,0 +1,9 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Based on the provenance information, I can confirm:
- Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo
- Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
The image was built from this specific GitHub repository, specifically the commit with the hash 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd. You can view the exact commit by visiting: https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
Is there anything else you'd like to know about this image or its origin?

13
tests/results/extract-git-repo.3.txt Normal file
View File

@@ -0,0 +1,13 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Let me summarize the findings:
The image `quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd` originates from the GitHub repository:
https://github.com/ralphbean/llm-compressor-hermetic-demo
Specifically:
- Repository: ralphbean/llm-compressor-hermetic-demo
- Commit: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
- Branch: main
The image was built as part of a Konflux CI pipeline and stored in the Quay.io registry under the redhat-user-workloads/konflux-ai-sig-tenant organization.

12
tests/results/extract-pipeline-logs.1.txt Normal file
View File

@@ -0,0 +1,12 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Great! I've found the full pipeline logs for your Konflux build:
1. Build Log URL:
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
2. Commit Link (for additional context):
https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
You can click on the build log URL to view the detailed pipeline run logs and investigate the specific errors you encountered. The commit link allows you to see the exact code changes that were part of this build.
Is there anything specific about the build errors you'd like me to help you investigate further?

15
tests/results/extract-pipeline-logs.2.txt Normal file
View File

@@ -0,0 +1,15 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Here's what I found:
1. **Build Log URL**:
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
2. **Repository**:
https://github.com/ralphbean/llm-compressor-hermetic-demo
3. **Commit SHA**:
7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
The build log URL will provide the full details of the pipeline run and any errors encountered during the build. You can open this URL in a web browser to view the complete logs and understand why the build failed.
Would you like me to help you interpret the specific errors from the build log?

18
tests/results/extract-pipeline-logs.3.txt Normal file
View File

@@ -0,0 +1,18 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Here's a summary of the build information:
1. **Build Log URL**:
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
2. **Git Repository**:
https://github.com/ralphbean/llm-compressor-hermetic-demo
3. **Commit SHA**:
7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
To investigate the failed build, I recommend:
1. Open the build log URL in your browser
2. Look for specific error messages in the pipeline run logs
3. Check the commit in the GitHub repository to see if there are any obvious issues with the code
Is there anything specific about the build failure you'd like me to help you investigate further?

25
tests/results/negative-non-konflux-image.1.txt Normal file
View File

@@ -0,0 +1,25 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
I apologize for the error. Let me provide you with the standard ways to find the source code for the nginx Docker image:
1. Official GitHub Repository:
- The official nginx source code is maintained on GitHub at: https://github.com/nginx/nginx
- For the Docker image specifically, check: https://github.com/nginx/docker-nginx
2. Docker Hub Source:
- Visit the official nginx Docker Hub page: https://hub.docker.com/_/nginx
- The "Source" link on this page will direct you to the GitHub repositories
3. Dockerfile Investigation:
- You can pull the image and inspect its Dockerfile:
```bash
docker pull nginx:latest
docker run -it --entrypoint /bin/sh nginx:latest
cat /Dockerfile # Inside the container
```
4. Official Nginx Website:
- The primary source code repository is at: https://hg.nginx.org/nginx/
For the most up-to-date and official source code, I recommend checking the GitHub repositories mentioned above. The nginx:latest tag typically points to the mainline version of nginx, which is actively maintained.
Would you like me to help you explore the source code further or explain how to investigate the image's details?

24
tests/results/negative-non-konflux-image.2.txt Normal file
View File

@@ -0,0 +1,24 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
I'll try again with a direct search:
The official nginx source code is maintained on GitHub at https://github.com/nginx/nginx
To get the exact source for the latest version:
1. Go to https://github.com/nginx/nginx
2. Check the tags or releases to find the version corresponding to the latest Docker Hub image
3. You can clone the repository:
```bash
git clone https://github.com/nginx/nginx.git
```
A few additional points about nginx:latest:
- The Docker Hub image is maintained by the Docker Nginx team
- The source is open-source and available on GitHub
- The Dockerfile for the official image is typically maintained in a separate repository: https://github.com/nginxinc/docker-nginx
If you want to investigate the specific Dockerfile used to build the nginx:latest image, I recommend:
1. Checking the Docker Hub page for nginx
2. Looking at the official nginx Docker image repository on GitHub
Would you like me to help you find more specific details about the nginx:latest source code or Dockerfile?

16
tests/results/negative-non-konflux-image.3.txt Normal file
View File

@@ -0,0 +1,16 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
I apologize for the error. Let me rephrase my recommendation:
To find the source code for the nginx:latest Docker Hub image:
1. Visit https://github.com/nginxinc/docker-nginx
2. Look for the Dockerfile in this repository
3. You can explore different branches for various nginx versions
4. The official Docker Hub page (https://hub.docker.com/_/nginx) also links to this source repository
If you want the exact Dockerfile used to build the latest image, I recommend:
- Checking the official GitHub repository
- Using `docker pull nginx:latest` locally
- Running `docker history nginx:latest` to see layer information
- Consulting the Docker Hub documentation for the most current source details
Would you like me to help you explore the nginx Docker image source in more detail?

10
tests/results/trace-build-to-commit.1.txt Normal file
View File

@@ -0,0 +1,10 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Here's a summary of the build information:
1. Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo
2. Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
3. Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
You can visit the commit link to see exactly what changes were made in this specific build. The build log URL will provide details about the build process if you need to investigate any specific issues with the build.
Would you like me to help you investigate further by checking the specific changes in the commit or examining the build logs?

13
tests/results/trace-build-to-commit.2.txt Normal file
View File

@@ -0,0 +1,13 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Here's a summary of the build details:
- Image: quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
- Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo
- Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
- Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
You can:
1. Check the specific commit at the GitHub link to see what changes were made
2. Review the build log at the provided URL to understand any build issues
3. If the image isn't working as expected, compare the code at this commit with previous working versions
Would you like me to help you investigate why the image isn't working as expected?

14
tests/results/trace-build-to-commit.3.txt Normal file
View File

@@ -0,0 +1,14 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
I'll summarize the findings for you:
1. Commit Link: https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
2. Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
The image was built from the exact commit `7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd` in the `llm-compressor-hermetic-demo` repository owned by ralphbean.
I recommend:
1. Visit the commit URL to review the specific changes
2. Check the build log URL for any build-time issues or warnings
3. If the build isn't working as expected, compare this commit with the previous working version to identify potential problems
Would you like me to help you investigate the specific changes in this commit or debug the issues you're experiencing?

12
tests/results/trace-missing-sbom-to-logs.1.txt Normal file
View File

@@ -0,0 +1,12 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Here's what I found:
1. Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
2. Git Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo
3. Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
The build log URL should help you investigate why the SBOM is missing. I recommend:
1. Open the build log URL in a web browser
2. Look for any SBOM generation steps or errors
3. Check if there are any pipeline configuration issues preventing SBOM generation
Would you like me to help you further investigate the SBOM generation process or explain what might have caused its absence?

18
tests/results/trace-missing-sbom-to-logs.2.txt Normal file
View File

@@ -0,0 +1,18 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
I've found the following information for you:
1. Build Log URL:
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
2. Source Repository:
https://github.com/ralphbean/llm-compressor-hermetic-demo
3. Commit SHA:
7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
The build log URL should help you investigate why the SBOM might be missing. I recommend:
1. Open the build log URL in a browser
2. Look for any SBOM-related tasks or errors
3. Check if the SBOM generation step was skipped or failed
Would you like me to help you investigate the specific reason for the missing SBOM?

12
tests/results/trace-missing-sbom-to-logs.3.txt Normal file
View File

@@ -0,0 +1,12 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Here's what I found for the image quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd:
1. Build Log URL:
https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5
2. Source Repository:
https://github.com/ralphbean/llm-compressor-hermetic-demo
The build log URL should help you investigate why the SBOM might be missing. You can open this link in a web browser to view the complete pipeline run details and logs.
Would you like me to help you investigate further why the SBOM might be missing from this build?

9
tests/results/verify-image-source.1.txt Normal file
View File

@@ -0,0 +1,9 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
To summarize:
- The exact source code commit for this Konflux production image is:
**7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd**
- This commit was from the `main` branch of the repository
https://github.com/ralphbean/llm-compressor-hermetic-demo
- The commit was made on 2025-10-21 at 20:19:23 UTC
Would you like me to fetch more details about this specific commit?

13
tests/results/verify-image-source.2.txt Normal file
View File

@@ -0,0 +1,13 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Based on the provenance information, here are the key details about the source code for this Konflux production image:
1. **Commit Hash**: `7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd`
2. **Repository**: https://github.com/ralphbean/llm-compressor-hermetic-demo
3. **Branch**: `main`
4. **Commit Title**: "Document llm-compressor-remote-oci-ta task in README"
5. **Build Date**: 2025-10-21T20:19:23Z
You can verify this commit by visiting the GitHub repository URL and checking the specific commit hash. The exact source code for this image can be found at:
https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
Is there anything specific you'd like to know about this source code commit or the image build process?

9
tests/results/verify-image-source.3.txt Normal file
View File

@@ -0,0 +1,9 @@
# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0
Based on the provenance information, I can confirm the details for this image:
- Source Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo
- Exact Commit: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
- Branch: main
- Build Timestamp: 2025-10-21T20:19:23Z
Would you like me to provide any additional information about this specific commit or the source repository?

78
tests/scenarios.yaml Normal file
View File

@@ -0,0 +1,78 @@
# Test scenarios for working-with-provenance skill
# This file defines all test cases for validating the skill's behavior
skill_name: working-with-provenance
description: Tests for provenance attestation navigation and artifact tracing
# Test scenarios following TDD methodology (RED-GREEN-REFACTOR)
test_scenarios:
- name: trace-missing-sbom-to-logs
description: Test ability to navigate from image to build logs for SBOM investigation
prompt: "This Konflux build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd is missing its SBOM. Can you help me find the build logs to see what happened?"
model: haiku
samples: 3
expected:
contains_keywords:
- konflux-ui
- pipelinerun
does_not_contain: []
baseline_failure: "Agent doesn't know how to extract build log URL from provenance attestation"
- name: trace-build-to-commit
description: Test ability to navigate from image to source commit
prompt: "The latest Konflux build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd isn't working as expected. Can you help me find which commit it was built from so I can see what changed?"
model: haiku
samples: 3
expected:
contains_keywords:
- 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
- github.com
does_not_contain: []
baseline_failure: "Agent doesn't know how to extract commit SHA and repo URL from provenance"
- name: verify-image-source
description: Test security/compliance verification of image source
prompt: "I need to verify which exact source code commit this Konflux production image was built from: quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd"
model: haiku
samples: 3
expected:
contains_keywords:
- 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd
- llm-compressor-hermetic-demo
does_not_contain: []
baseline_failure: "Agent doesn't know provenance contains definitive source information"
- name: extract-pipeline-logs
description: Test quick extraction of pipeline log URL
prompt: "A Konflux build failed with weird errors. I have the image reference quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd. How do I get to the full pipeline logs?"
model: haiku
samples: 3
expected:
contains_keywords:
- konflux-ui
- pipelinerun
does_not_contain: []
baseline_failure: "Agent suggests manual UI navigation instead of using provenance"
- name: extract-git-repo
description: Test extraction of source repository URL
prompt: "I have this Konflux image quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd but don't know which repo it came from. How can I find out?"
model: haiku
samples: 3
expected:
contains_keywords:
- github.com
- llm-compressor-hermetic-demo
does_not_contain: []
baseline_failure: "Agent doesn't know how to extract repository URL from provenance"
- name: negative-non-konflux-image
description: Test that skill doesn't trigger for non-Konflux contexts
prompt: "How do I find the source code for this Docker Hub image: nginx:latest?"
model: haiku
samples: 3
expected:
contains_keywords: []
does_not_contain:
- cosign download attestation
baseline_failure: "Skill shouldn't apply to non-Konflux images"