From 3202054ccfea2eba26de9d79e3be8d3f99a0fd20 Mon Sep 17 00:00:00 2001 From: Zhongwei Li Date: Sun, 30 Nov 2025 08:35:26 +0800 Subject: [PATCH] Initial commit --- .claude-plugin/plugin.json | 11 ++ README.md | 3 + SKILL.md | 115 +++++++++++++++ plugin.lock.json | 137 ++++++++++++++++++ scripts/build-commit-link.sh | 12 ++ scripts/build-git-repo.sh | 6 + scripts/build-log-link.sh | 7 + scripts/build-origin-pullspec.sh | 8 + tests/results/extract-git-repo.1.txt | 9 ++ tests/results/extract-git-repo.2.txt | 9 ++ tests/results/extract-git-repo.3.txt | 13 ++ tests/results/extract-pipeline-logs.1.txt | 12 ++ tests/results/extract-pipeline-logs.2.txt | 15 ++ tests/results/extract-pipeline-logs.3.txt | 18 +++ .../results/negative-non-konflux-image.1.txt | 25 ++++ .../results/negative-non-konflux-image.2.txt | 24 +++ .../results/negative-non-konflux-image.3.txt | 16 ++ tests/results/trace-build-to-commit.1.txt | 10 ++ tests/results/trace-build-to-commit.2.txt | 13 ++ tests/results/trace-build-to-commit.3.txt | 14 ++ .../results/trace-missing-sbom-to-logs.1.txt | 12 ++ .../results/trace-missing-sbom-to-logs.2.txt | 18 +++ .../results/trace-missing-sbom-to-logs.3.txt | 12 ++ tests/results/verify-image-source.1.txt | 9 ++ tests/results/verify-image-source.2.txt | 13 ++ tests/results/verify-image-source.3.txt | 9 ++ tests/scenarios.yaml | 78 ++++++++++ 27 files changed, 628 insertions(+) create mode 100644 .claude-plugin/plugin.json create mode 100644 README.md create mode 100644 SKILL.md create mode 100644 plugin.lock.json create mode 100755 scripts/build-commit-link.sh create mode 100755 scripts/build-git-repo.sh create mode 100755 scripts/build-log-link.sh create mode 100755 scripts/build-origin-pullspec.sh create mode 100644 tests/results/extract-git-repo.1.txt create mode 100644 tests/results/extract-git-repo.2.txt create mode 100644 tests/results/extract-git-repo.3.txt create mode 100644 tests/results/extract-pipeline-logs.1.txt create mode 100644 tests/results/extract-pipeline-logs.2.txt create mode 100644 tests/results/extract-pipeline-logs.3.txt create mode 100644 tests/results/negative-non-konflux-image.1.txt create mode 100644 tests/results/negative-non-konflux-image.2.txt create mode 100644 tests/results/negative-non-konflux-image.3.txt create mode 100644 tests/results/trace-build-to-commit.1.txt create mode 100644 tests/results/trace-build-to-commit.2.txt create mode 100644 tests/results/trace-build-to-commit.3.txt create mode 100644 tests/results/trace-missing-sbom-to-logs.1.txt create mode 100644 tests/results/trace-missing-sbom-to-logs.2.txt create mode 100644 tests/results/trace-missing-sbom-to-logs.3.txt create mode 100644 tests/results/verify-image-source.1.txt create mode 100644 tests/results/verify-image-source.2.txt create mode 100644 tests/results/verify-image-source.3.txt create mode 100644 tests/scenarios.yaml diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..2956f62 --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "working-with-provenance", + "description": "Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code", + "version": "1.0.0", + "author": { + "name": "Konflux CI Team" + }, + "skills": [ + "./" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..99fdaa1 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# working-with-provenance + +Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code diff --git a/SKILL.md b/SKILL.md new file mode 100644 index 0000000..e0f79ad --- /dev/null +++ b/SKILL.md @@ -0,0 +1,115 @@ +--- +name: working-with-provenance +description: Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code +allowed-tools: Bash(cosign download:*), Bash(cosign verify:*), Bash(jq:*), Bash(~/.claude/skills/working-with-provenance/scripts/*:*) +--- + +# Working with Provenance + +## Overview + +Every Konflux build produces SLSA provenance attestations containing the complete build history: source repository, commit SHA, pipeline run URL, and build parameters. Use `cosign download attestation` with `jq` to extract this information and trace artifacts back to their origins. + +## When to Use + +Use this skill when you need to: +- Find build logs for an image (missing SBOM, failed tasks, debugging) +- Trace an image back to its source commit (what changed, code review) +- Verify which repository and commit produced an artifact (security, compliance) +- Extract build parameters or pipeline information (reproduce builds, debug configuration) + +Do NOT use for non-Konflux images (Docker Hub, upstream images without attestations). + +## Quick Reference + +| Need | Command Pattern | Helper Script | +|------|----------------|---------------| +| Build log URL | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"'` | `~/.claude/skills/working-with-provenance/scripts/build-log-link.sh $IMAGE` | +| Commit link | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations \| ."pipelinesascode.tekton.dev/repo-url" + "/commit/" + ."pipelinesascode.tekton.dev/sha"'` | `~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh $IMAGE` | +| Git repository | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/repo-url"'` | `~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh $IMAGE` | +| Origin pullspec | `cosign download attestation $IMAGE \| jq '.payload \| @base64d \| fromjson \| .subject[0].name + ":" + .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/sha"'` | `~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh $IMAGE` | + +## Helper Scripts + +This skill includes ready-to-use bash scripts that you can invoke directly: + +```bash +# Extract build log URL +~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag + +# Extract commit URL (handles GitHub and GitLab) +~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag + +# Extract git repository URL +~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag + +# Extract original pullspec with commit SHA +~/.claude/skills/working-with-provenance/scripts/build-origin-pullspec.sh quay.io/org/image:tag +``` + +## Common Workflow + +**Investigating missing SBOM:** + +```bash +# 1. Get build log URL from provenance +LOG_URL=$(~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/org/image:tag) + +# 2. Open logs in browser or use debugging-pipeline-failures skill +echo $LOG_URL +``` + +**Tracing code changes:** + +```bash +# 1. Get commit link from provenance +COMMIT=$(~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/org/image:tag) + +# 2. View the commit +echo $COMMIT # Opens in browser + +# 3. Check recent history +git clone $(~/.claude/skills/working-with-provenance/scripts/build-git-repo.sh quay.io/org/image:tag) +``` + +## Attestation Structure + +Konflux provenance lives at: +``` +.payload (base64-encoded) + └─ .predicate + ├─ .buildConfig.tasks[0].invocation.environment.annotations + │ ├─ pipelinesascode.tekton.dev/log-url (pipeline logs) + │ ├─ pipelinesascode.tekton.dev/repo-url (git repository) + │ └─ pipelinesascode.tekton.dev/sha (commit SHA) + └─ .subject[0].name (image name) +``` + +## Common Mistakes + +| Mistake | Fix | +|---------|-----| +| Trying to parse image tags for commit info | Tags can be arbitrary. Use provenance for definitive source. | +| Manual UI navigation to find logs | Use `build-log-link.sh` - faster and scriptable. | +| Assuming images without Konflux builds have provenance | Only Konflux-built images have SLSA attestations via Tekton Chains. | +| Forgetting to base64 decode payload | Always use `.payload \| @base64d \| fromjson` pattern. | + +## Real-World Example + +```bash +# User reports: "Build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553... missing SBOM" + +# 1. Extract build log URL +$ ~/.claude/skills/working-with-provenance/scripts/build-log-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +# 2. Extract source commit +$ ~/.claude/skills/working-with-provenance/scripts/build-commit-link.sh quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +🐙 https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +# Now: Open logs to debug SBOM task, review commit for context +``` + +## Keywords + +SLSA provenance, attestation, cosign, Tekton Chains, build logs, commit SHA, source tracing, artifact metadata, supply chain security, SBOM debugging, pipeline logs, container image verification diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..4ac2c64 --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,137 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:konflux-ci/skills:skills/working-with-provenance", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "7b6adb0a74a1ccfded89649ab301ee6121409ca3", + "treeHash": "44bc67aaaac2313811387700d059c6e76dc0d8bbd7ef8f2d69eea169217d3456", + "generatedAt": "2025-11-28T10:19:55.018276Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "working-with-provenance", + "description": "Use when tracing Konflux builds from image references, finding build logs from artifacts, or verifying source commits for container images - extracts provenance attestations to navigate from images back to builds and source code", + "version": "1.0.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "ec2fe631ce0b60d42d40a4955709f3936d10e6b8ded3518736401a63bc7c83f4" + }, + { + "path": "SKILL.md", + "sha256": "08686d390304798b3f4db10ddf8f86b29c9ead91d63b9de24f1b596c787035ed" + }, + { + "path": "tests/scenarios.yaml", + "sha256": "8f0342a967f93ed609c16c69f0c29cf1f6da6c3504a5cf68a98028edd3e71797" + }, + { + "path": "tests/results/trace-missing-sbom-to-logs.1.txt", + "sha256": "142787a762f511535798ddd1be1f395399df752071f01e96eb896630dfa3d137" + }, + { + "path": "tests/results/trace-missing-sbom-to-logs.2.txt", + "sha256": "528b78dfb1f5239ad6cb8aa2fb302c96ca8637cf52a7d13fa8eb81735a755784" + }, + { + "path": "tests/results/trace-missing-sbom-to-logs.3.txt", + "sha256": "ccee57ea972f0c1ff4b6c7c6909cf646d15a7c7eaa5afa80162fa5d0b1798d57" + }, + { + "path": "tests/results/extract-pipeline-logs.1.txt", + "sha256": "58832233992ec268b6c674e9f741468207f585eb21723477c51a5303e800e433" + }, + { + "path": "tests/results/extract-pipeline-logs.3.txt", + "sha256": "8eff675f29b44e21a54fc7eebfb1ca4f25d13a4202a62bc1c2c0d40fc3158854" + }, + { + "path": "tests/results/extract-pipeline-logs.2.txt", + "sha256": "c164810cf4274ebb3805b7011e3364ac350edf2282b1ca6b9721da6331eb0dd4" + }, + { + "path": "tests/results/extract-git-repo.1.txt", + "sha256": "0eab8d54abe1b8761885682d94fffb7f03673a5ec875b20becdab073cfe02c9f" + }, + { + "path": "tests/results/negative-non-konflux-image.3.txt", + "sha256": "01974155a62528ccaba0bd4ebff20b68d5713a194f905ae2d0c24d32ef214144" + }, + { + "path": "tests/results/negative-non-konflux-image.2.txt", + "sha256": "644bd6b86f246ffbae1144237358ef1b84776f40a52a68e3ccf67041133225b2" + }, + { + "path": "tests/results/extract-git-repo.2.txt", + "sha256": "7e8969190bd59402af35250efbbeb12b679dd38fc0b643885c87c1913df62f94" + }, + { + "path": "tests/results/negative-non-konflux-image.1.txt", + "sha256": "26538f67a4ced8d18739b0e92ddf1c7b2b9311ceb816e4b87e6c17d224d22266" + }, + { + "path": "tests/results/extract-git-repo.3.txt", + "sha256": "a67eaf153e1b76dacbc9de66310aa6fcbb413588a30359071397f0d9c83cc283" + }, + { + "path": "tests/results/verify-image-source.1.txt", + "sha256": "bfea63a15dcbc52d692f97739384f65f0303aef511ef6f8ecca71ca174c28d80" + }, + { + "path": "tests/results/trace-build-to-commit.3.txt", + "sha256": "f8457374306739356d40ebb4a0bcc3a72758bb25cc8adbb24968b50ee359780b" + }, + { + "path": "tests/results/trace-build-to-commit.2.txt", + "sha256": "f530c8410a664b3c959ee1641e3def238e46d4d6f515c2a6b2148be657987769" + }, + { + "path": "tests/results/verify-image-source.2.txt", + "sha256": "160cdb5d9a801e381045f3c3e4b69a316bc2fc365f9f47be020e7a4ee7c96ee8" + }, + { + "path": "tests/results/trace-build-to-commit.1.txt", + "sha256": "b19902978da6621e6f62611668d8dd4f4a4bec39a52d0ac67b5df74d739d6fd7" + }, + { + "path": "tests/results/verify-image-source.3.txt", + "sha256": "219fdff036dc171ddaf2e8866a6bbf22f80e5154e14232ef4412cf54e3680f02" + }, + { + "path": "scripts/build-origin-pullspec.sh", + "sha256": "0d00453709e69340d3a876039d81fd1ed5abe9b83e0da6e83c0f00d99c0e7840" + }, + { + "path": "scripts/build-commit-link.sh", + "sha256": "eeedc272c58a68eaf1dbe87b35f28c7566120514ecfe81a9d2b4b3950781cc18" + }, + { + "path": "scripts/build-log-link.sh", + "sha256": "d1e525b66dba43d82bd1a880e4213d60094f2b522deff80b319d4aff4579297e" + }, + { + "path": "scripts/build-git-repo.sh", + "sha256": "b45af5dbcae075ffc9e2295a4dcaf0afc1ebc1c2f3cad6daae22a17d9b549f3b" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "0c6b5514780d07b79c8f385621181d4019b28a679d756e73e71207fbec4379f8" + } + ], + "dirSha256": "44bc67aaaac2313811387700d059c6e76dc0d8bbd7ef8f2d69eea169217d3456" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file diff --git a/scripts/build-commit-link.sh b/scripts/build-commit-link.sh new file mode 100755 index 0000000..c6f60c9 --- /dev/null +++ b/scripts/build-commit-link.sh @@ -0,0 +1,12 @@ +#!/bin/bash -u + +IMAGE=${1} + +expression='.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations | ."pipelinesascode.tekton.dev/repo-url" + "/-/commit/" + ."pipelinesascode.tekton.dev/sha"' +output=$(cosign download attestation $IMAGE | jq -r "$expression") + +if [[ "$output" == *github.com/* ]] ; then + echo "🐙 $output" | sed 's|/-/|/|' +else + echo "🦊 $output" +fi diff --git a/scripts/build-git-repo.sh b/scripts/build-git-repo.sh new file mode 100755 index 0000000..a615af0 --- /dev/null +++ b/scripts/build-git-repo.sh @@ -0,0 +1,6 @@ +#!/bin/bash -u + +IMAGE=${1} + +expression='.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/repo-url"' +cosign download attestation $IMAGE | jq -r "$expression" diff --git a/scripts/build-log-link.sh b/scripts/build-log-link.sh new file mode 100755 index 0000000..7263171 --- /dev/null +++ b/scripts/build-log-link.sh @@ -0,0 +1,7 @@ +#!/bin/bash -u + +IMAGE=${1} + +cosign download attestation $IMAGE \ + | jq -r '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/log-url"' \ + | sed 's|console.redhat.com/application-pipeline|konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com|' diff --git a/scripts/build-origin-pullspec.sh b/scripts/build-origin-pullspec.sh new file mode 100755 index 0000000..2b723cd --- /dev/null +++ b/scripts/build-origin-pullspec.sh @@ -0,0 +1,8 @@ +#!/bin/bash -u + +IMAGE=${1} + +expression='.payload | @base64d | fromjson | .subject[0].name + ":" + .predicate.buildConfig.tasks[0].invocation.environment.annotations."pipelinesascode.tekton.dev/sha"' +output=$(cosign download attestation $IMAGE | jq -r "$expression") + +echo $output diff --git a/tests/results/extract-git-repo.1.txt b/tests/results/extract-git-repo.1.txt new file mode 100644 index 0000000..543804a --- /dev/null +++ b/tests/results/extract-git-repo.1.txt @@ -0,0 +1,9 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Great! From the provenance attestation, I can extract the key information: + +Repository URL: https://github.com/ralphbean/llm-compressor-hermetic-demo +Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +The image was built from the repository `ralphbean/llm-compressor-hermetic-demo` at the specific commit `7f9a553`. + +Would you like me to provide more details about the repository or the specific commit? diff --git a/tests/results/extract-git-repo.2.txt b/tests/results/extract-git-repo.2.txt new file mode 100644 index 0000000..6fac74e --- /dev/null +++ b/tests/results/extract-git-repo.2.txt @@ -0,0 +1,9 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Based on the provenance information, I can confirm: + +- Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo +- Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +The image was built from this specific GitHub repository, specifically the commit with the hash 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd. You can view the exact commit by visiting: https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +Is there anything else you'd like to know about this image or its origin? diff --git a/tests/results/extract-git-repo.3.txt b/tests/results/extract-git-repo.3.txt new file mode 100644 index 0000000..f8ccdaf --- /dev/null +++ b/tests/results/extract-git-repo.3.txt @@ -0,0 +1,13 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Let me summarize the findings: + +The image `quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd` originates from the GitHub repository: + +https://github.com/ralphbean/llm-compressor-hermetic-demo + +Specifically: +- Repository: ralphbean/llm-compressor-hermetic-demo +- Commit: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +- Branch: main + +The image was built as part of a Konflux CI pipeline and stored in the Quay.io registry under the redhat-user-workloads/konflux-ai-sig-tenant organization. diff --git a/tests/results/extract-pipeline-logs.1.txt b/tests/results/extract-pipeline-logs.1.txt new file mode 100644 index 0000000..725418b --- /dev/null +++ b/tests/results/extract-pipeline-logs.1.txt @@ -0,0 +1,12 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Great! I've found the full pipeline logs for your Konflux build: + +1. Build Log URL: + https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +2. Commit Link (for additional context): + https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +You can click on the build log URL to view the detailed pipeline run logs and investigate the specific errors you encountered. The commit link allows you to see the exact code changes that were part of this build. + +Is there anything specific about the build errors you'd like me to help you investigate further? diff --git a/tests/results/extract-pipeline-logs.2.txt b/tests/results/extract-pipeline-logs.2.txt new file mode 100644 index 0000000..2f556d1 --- /dev/null +++ b/tests/results/extract-pipeline-logs.2.txt @@ -0,0 +1,15 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Here's what I found: + +1. **Build Log URL**: + https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +2. **Repository**: + https://github.com/ralphbean/llm-compressor-hermetic-demo + +3. **Commit SHA**: + 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +The build log URL will provide the full details of the pipeline run and any errors encountered during the build. You can open this URL in a web browser to view the complete logs and understand why the build failed. + +Would you like me to help you interpret the specific errors from the build log? diff --git a/tests/results/extract-pipeline-logs.3.txt b/tests/results/extract-pipeline-logs.3.txt new file mode 100644 index 0000000..9bcfe09 --- /dev/null +++ b/tests/results/extract-pipeline-logs.3.txt @@ -0,0 +1,18 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Here's a summary of the build information: + +1. **Build Log URL**: + https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +2. **Git Repository**: + https://github.com/ralphbean/llm-compressor-hermetic-demo + +3. **Commit SHA**: + 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +To investigate the failed build, I recommend: +1. Open the build log URL in your browser +2. Look for specific error messages in the pipeline run logs +3. Check the commit in the GitHub repository to see if there are any obvious issues with the code + +Is there anything specific about the build failure you'd like me to help you investigate further? diff --git a/tests/results/negative-non-konflux-image.1.txt b/tests/results/negative-non-konflux-image.1.txt new file mode 100644 index 0000000..91864c7 --- /dev/null +++ b/tests/results/negative-non-konflux-image.1.txt @@ -0,0 +1,25 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +I apologize for the error. Let me provide you with the standard ways to find the source code for the nginx Docker image: + +1. Official GitHub Repository: + - The official nginx source code is maintained on GitHub at: https://github.com/nginx/nginx + - For the Docker image specifically, check: https://github.com/nginx/docker-nginx + +2. Docker Hub Source: + - Visit the official nginx Docker Hub page: https://hub.docker.com/_/nginx + - The "Source" link on this page will direct you to the GitHub repositories + +3. Dockerfile Investigation: + - You can pull the image and inspect its Dockerfile: + ```bash + docker pull nginx:latest + docker run -it --entrypoint /bin/sh nginx:latest + cat /Dockerfile # Inside the container + ``` + +4. Official Nginx Website: + - The primary source code repository is at: https://hg.nginx.org/nginx/ + +For the most up-to-date and official source code, I recommend checking the GitHub repositories mentioned above. The nginx:latest tag typically points to the mainline version of nginx, which is actively maintained. + +Would you like me to help you explore the source code further or explain how to investigate the image's details? diff --git a/tests/results/negative-non-konflux-image.2.txt b/tests/results/negative-non-konflux-image.2.txt new file mode 100644 index 0000000..341b9bc --- /dev/null +++ b/tests/results/negative-non-konflux-image.2.txt @@ -0,0 +1,24 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +I'll try again with a direct search: + +The official nginx source code is maintained on GitHub at https://github.com/nginx/nginx + +To get the exact source for the latest version: + +1. Go to https://github.com/nginx/nginx +2. Check the tags or releases to find the version corresponding to the latest Docker Hub image +3. You can clone the repository: +```bash +git clone https://github.com/nginx/nginx.git +``` + +A few additional points about nginx:latest: +- The Docker Hub image is maintained by the Docker Nginx team +- The source is open-source and available on GitHub +- The Dockerfile for the official image is typically maintained in a separate repository: https://github.com/nginxinc/docker-nginx + +If you want to investigate the specific Dockerfile used to build the nginx:latest image, I recommend: +1. Checking the Docker Hub page for nginx +2. Looking at the official nginx Docker image repository on GitHub + +Would you like me to help you find more specific details about the nginx:latest source code or Dockerfile? diff --git a/tests/results/negative-non-konflux-image.3.txt b/tests/results/negative-non-konflux-image.3.txt new file mode 100644 index 0000000..632df28 --- /dev/null +++ b/tests/results/negative-non-konflux-image.3.txt @@ -0,0 +1,16 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +I apologize for the error. Let me rephrase my recommendation: + +To find the source code for the nginx:latest Docker Hub image: +1. Visit https://github.com/nginxinc/docker-nginx +2. Look for the Dockerfile in this repository +3. You can explore different branches for various nginx versions +4. The official Docker Hub page (https://hub.docker.com/_/nginx) also links to this source repository + +If you want the exact Dockerfile used to build the latest image, I recommend: +- Checking the official GitHub repository +- Using `docker pull nginx:latest` locally +- Running `docker history nginx:latest` to see layer information +- Consulting the Docker Hub documentation for the most current source details + +Would you like me to help you explore the nginx Docker image source in more detail? diff --git a/tests/results/trace-build-to-commit.1.txt b/tests/results/trace-build-to-commit.1.txt new file mode 100644 index 0000000..2598872 --- /dev/null +++ b/tests/results/trace-build-to-commit.1.txt @@ -0,0 +1,10 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Here's a summary of the build information: + +1. Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo +2. Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +3. Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +You can visit the commit link to see exactly what changes were made in this specific build. The build log URL will provide details about the build process if you need to investigate any specific issues with the build. + +Would you like me to help you investigate further by checking the specific changes in the commit or examining the build logs? diff --git a/tests/results/trace-build-to-commit.2.txt b/tests/results/trace-build-to-commit.2.txt new file mode 100644 index 0000000..e6d4273 --- /dev/null +++ b/tests/results/trace-build-to-commit.2.txt @@ -0,0 +1,13 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Here's a summary of the build details: +- Image: quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +- Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo +- Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +- Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +You can: +1. Check the specific commit at the GitHub link to see what changes were made +2. Review the build log at the provided URL to understand any build issues +3. If the image isn't working as expected, compare the code at this commit with previous working versions + +Would you like me to help you investigate why the image isn't working as expected? diff --git a/tests/results/trace-build-to-commit.3.txt b/tests/results/trace-build-to-commit.3.txt new file mode 100644 index 0000000..b0abe0d --- /dev/null +++ b/tests/results/trace-build-to-commit.3.txt @@ -0,0 +1,14 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +I'll summarize the findings for you: + +1. Commit Link: https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +2. Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +The image was built from the exact commit `7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd` in the `llm-compressor-hermetic-demo` repository owned by ralphbean. + +I recommend: +1. Visit the commit URL to review the specific changes +2. Check the build log URL for any build-time issues or warnings +3. If the build isn't working as expected, compare this commit with the previous working version to identify potential problems + +Would you like me to help you investigate the specific changes in this commit or debug the issues you're experiencing? diff --git a/tests/results/trace-missing-sbom-to-logs.1.txt b/tests/results/trace-missing-sbom-to-logs.1.txt new file mode 100644 index 0000000..bb8253f --- /dev/null +++ b/tests/results/trace-missing-sbom-to-logs.1.txt @@ -0,0 +1,12 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Here's what I found: +1. Build Log URL: https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 +2. Git Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo +3. Commit SHA: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +The build log URL should help you investigate why the SBOM is missing. I recommend: +1. Open the build log URL in a web browser +2. Look for any SBOM generation steps or errors +3. Check if there are any pipeline configuration issues preventing SBOM generation + +Would you like me to help you further investigate the SBOM generation process or explain what might have caused its absence? diff --git a/tests/results/trace-missing-sbom-to-logs.2.txt b/tests/results/trace-missing-sbom-to-logs.2.txt new file mode 100644 index 0000000..996a857 --- /dev/null +++ b/tests/results/trace-missing-sbom-to-logs.2.txt @@ -0,0 +1,18 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +I've found the following information for you: + +1. Build Log URL: + https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +2. Source Repository: + https://github.com/ralphbean/llm-compressor-hermetic-demo + +3. Commit SHA: + 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +The build log URL should help you investigate why the SBOM might be missing. I recommend: +1. Open the build log URL in a browser +2. Look for any SBOM-related tasks or errors +3. Check if the SBOM generation step was skipped or failed + +Would you like me to help you investigate the specific reason for the missing SBOM? diff --git a/tests/results/trace-missing-sbom-to-logs.3.txt b/tests/results/trace-missing-sbom-to-logs.3.txt new file mode 100644 index 0000000..075ab7e --- /dev/null +++ b/tests/results/trace-missing-sbom-to-logs.3.txt @@ -0,0 +1,12 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Here's what I found for the image quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd: + +1. Build Log URL: + https://konflux-ui.apps.kflux-prd-rh03.nnv1.p1.openshiftapps.com/ns/konflux-ai-sig-tenant/pipelinerun/llm-compressor-on-push-lvnc5 + +2. Source Repository: + https://github.com/ralphbean/llm-compressor-hermetic-demo + +The build log URL should help you investigate why the SBOM might be missing. You can open this link in a web browser to view the complete pipeline run details and logs. + +Would you like me to help you investigate further why the SBOM might be missing from this build? diff --git a/tests/results/verify-image-source.1.txt b/tests/results/verify-image-source.1.txt new file mode 100644 index 0000000..7a991e2 --- /dev/null +++ b/tests/results/verify-image-source.1.txt @@ -0,0 +1,9 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +To summarize: +- The exact source code commit for this Konflux production image is: + **7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd** +- This commit was from the `main` branch of the repository + https://github.com/ralphbean/llm-compressor-hermetic-demo +- The commit was made on 2025-10-21 at 20:19:23 UTC + +Would you like me to fetch more details about this specific commit? diff --git a/tests/results/verify-image-source.2.txt b/tests/results/verify-image-source.2.txt new file mode 100644 index 0000000..efb989e --- /dev/null +++ b/tests/results/verify-image-source.2.txt @@ -0,0 +1,13 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Based on the provenance information, here are the key details about the source code for this Konflux production image: + +1. **Commit Hash**: `7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd` +2. **Repository**: https://github.com/ralphbean/llm-compressor-hermetic-demo +3. **Branch**: `main` +4. **Commit Title**: "Document llm-compressor-remote-oci-ta task in README" +5. **Build Date**: 2025-10-21T20:19:23Z + +You can verify this commit by visiting the GitHub repository URL and checking the specific commit hash. The exact source code for this image can be found at: +https://github.com/ralphbean/llm-compressor-hermetic-demo/commit/7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + +Is there anything specific you'd like to know about this source code commit or the image build process? diff --git a/tests/results/verify-image-source.3.txt b/tests/results/verify-image-source.3.txt new file mode 100644 index 0000000..fddeeca --- /dev/null +++ b/tests/results/verify-image-source.3.txt @@ -0,0 +1,9 @@ +# skill_digest: 277bf232d6be393d85b2319366d2fc3272f724b211a267eafcecbb712eff0bb0 +Based on the provenance information, I can confirm the details for this image: + +- Source Repository: https://github.com/ralphbean/llm-compressor-hermetic-demo +- Exact Commit: 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd +- Branch: main +- Build Timestamp: 2025-10-21T20:19:23Z + +Would you like me to provide any additional information about this specific commit or the source repository? diff --git a/tests/scenarios.yaml b/tests/scenarios.yaml new file mode 100644 index 0000000..dcfb462 --- /dev/null +++ b/tests/scenarios.yaml @@ -0,0 +1,78 @@ +# Test scenarios for working-with-provenance skill +# This file defines all test cases for validating the skill's behavior + +skill_name: working-with-provenance +description: Tests for provenance attestation navigation and artifact tracing + +# Test scenarios following TDD methodology (RED-GREEN-REFACTOR) +test_scenarios: + - name: trace-missing-sbom-to-logs + description: Test ability to navigate from image to build logs for SBOM investigation + prompt: "This Konflux build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd is missing its SBOM. Can you help me find the build logs to see what happened?" + model: haiku + samples: 3 + expected: + contains_keywords: + - konflux-ui + - pipelinerun + does_not_contain: [] + baseline_failure: "Agent doesn't know how to extract build log URL from provenance attestation" + + - name: trace-build-to-commit + description: Test ability to navigate from image to source commit + prompt: "The latest Konflux build quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd isn't working as expected. Can you help me find which commit it was built from so I can see what changed?" + model: haiku + samples: 3 + expected: + contains_keywords: + - 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + - github.com + does_not_contain: [] + baseline_failure: "Agent doesn't know how to extract commit SHA and repo URL from provenance" + + - name: verify-image-source + description: Test security/compliance verification of image source + prompt: "I need to verify which exact source code commit this Konflux production image was built from: quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd" + model: haiku + samples: 3 + expected: + contains_keywords: + - 7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd + - llm-compressor-hermetic-demo + does_not_contain: [] + baseline_failure: "Agent doesn't know provenance contains definitive source information" + + - name: extract-pipeline-logs + description: Test quick extraction of pipeline log URL + prompt: "A Konflux build failed with weird errors. I have the image reference quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd. How do I get to the full pipeline logs?" + model: haiku + samples: 3 + expected: + contains_keywords: + - konflux-ui + - pipelinerun + does_not_contain: [] + baseline_failure: "Agent suggests manual UI navigation instead of using provenance" + + - name: extract-git-repo + description: Test extraction of source repository URL + prompt: "I have this Konflux image quay.io/redhat-user-workloads/konflux-ai-sig-tenant/llm-compressor-demo:7f9a553dd100ba700fc8f9da942f8dfcecf6a1bd but don't know which repo it came from. How can I find out?" + model: haiku + samples: 3 + expected: + contains_keywords: + - github.com + - llm-compressor-hermetic-demo + does_not_contain: [] + baseline_failure: "Agent doesn't know how to extract repository URL from provenance" + + - name: negative-non-konflux-image + description: Test that skill doesn't trigger for non-Konflux contexts + prompt: "How do I find the source code for this Docker Hub image: nginx:latest?" + model: haiku + samples: 3 + expected: + contains_keywords: [] + does_not_contain: + - cosign download attestation + baseline_failure: "Skill shouldn't apply to non-Konflux images"