enable Konflux cache proxy for builds

[robnester-rh]

Enable the cache proxy in the Tekton pipeline definitions to improve build performance by caching dependencies.

Ref: EC-1614

[qodo-code-review]

Review Summary by Qodo

Enable Konflux cache proxy for Tekton builds

✨ Enhancement

Walkthroughs

Description

• Enable cache proxy in Tekton pipeline definitions
• Add enable-cache-proxy parameter to both pull-request and push pipelines
• Default cache proxy to enabled for improved build performance
• Pass cache proxy parameter to build-image task

Diagram

flowchart LR
  A["Pipeline Parameters"] -- "add enable-cache-proxy" --> B["Pipeline Spec"]
  B -- "pass to build-image task" --> C["Build Image Task"]
  C -- "uses cache proxy" --> D["Improved Build Performance"]

Loading

File Changes

1. .tekton/cli-v07-pull-request.yaml ✨ Enhancement +8/-0

Add cache proxy parameter to pull-request pipeline

• Add enable-cache-proxy parameter with default value true to pipeline params
• Define enable-cache-proxy parameter in pipelineSpec with description and type
• Pass ENABLE_CACHE_PROXY environment variable to build-image task

.tekton/cli-v07-pull-request.yaml

---

2. .tekton/cli-v07-push.yaml ✨ Enhancement +8/-0

Add cache proxy parameter to push pipeline

• Add enable-cache-proxy parameter with default value true to pipeline params
• Define enable-cache-proxy parameter in pipelineSpec with description and type
• Pass ENABLE_CACHE_PROXY environment variable to build-image task

.tekton/cli-v07-push.yaml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (2) 📎 Requirement gaps (0)

1. enable-cache-proxy boolean naming 📘 Rule violation ✓ Correctness

Description

The new boolean-like pipeline param uses enable-cache-proxy instead of the recommended boolean
prefixes (is_, has_, can_, should_). This reduces consistency and self-documentation for
toggle parameters across the codebase.

Code

.tekton/cli-v07-pull-request.yaml[R115-118]

+    - default: "true"
+      description: Enable cache proxy
+      name: enable-cache-proxy
+      type: string

Evidence

Compliance ID 2 requires boolean identifiers to use prefixes like is_/has_/can_/should_. The
PR introduces a new toggle parameter named enable-cache-proxy in both pipeline definitions.

Rule 2: Generic: Meaningful Naming and Self-Documenting Code
.tekton/cli-v07-pull-request.yaml[115-118]
.tekton/cli-v07-push.yaml[114-117]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A new boolean-like pipeline parameter is named `enable-cache-proxy`, which does not follow the boolean-prefix naming guideline (`is_`, `has_`, `can_`, `should_`).

## Issue Context
This parameter is introduced in both the pull-request and push pipeline definitions and is referenced via `$(params.enable-cache-proxy)`.

## Fix Focus Areas
- .tekton/cli-v07-pull-request.yaml[43-44]
- .tekton/cli-v07-pull-request.yaml[115-118]
- .tekton/cli-v07-pull-request.yaml[238-239]
- .tekton/cli-v07-push.yaml[42-43]
- .tekton/cli-v07-push.yaml[114-117]
- .tekton/cli-v07-push.yaml[237-238]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. enable-cache-proxy unvalidated param 📘 Rule violation ⛯ Reliability

Description

The new enable-cache-proxy value is passed through as a free-form string into ENABLE_CACHE_PROXY
without any validation/normalization. Unexpected values (e.g., empty, yes, mixed case) can cause
edge-case behavior in downstream tasks that interpret this value as a boolean.

Code

.tekton/cli-v07-pull-request.yaml[R238-239]

+      - name: ENABLE_CACHE_PROXY
+        value: $(params.enable-cache-proxy)

Evidence

Compliance IDs 3 and 6 require handling edge cases and validating external inputs. The PR introduces
a string-typed parameter and injects it directly into an environment variable used by tasks, with no
visible constraints or validation.

Rule 3: Generic: Robust Error Handling and Edge Case Management
Rule 6: Generic: Security-First Input Validation and Data Handling
.tekton/cli-v07-pull-request.yaml[115-118]
.tekton/cli-v07-pull-request.yaml[238-239]
.tekton/cli-v07-push.yaml[114-117]
.tekton/cli-v07-push.yaml[237-238]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`enable-cache-proxy` is a string parameter that is passed directly into `ENABLE_CACHE_PROXY` without validation, which can lead to edge-case behavior if unexpected values are provided.

## Issue Context
The pipeline currently defines the parameter as `type: string` with `default: "true"` and injects it into the task environment via `$(params.enable-cache-proxy)`.

## Fix Focus Areas
- .tekton/cli-v07-pull-request.yaml[115-118]
- .tekton/cli-v07-pull-request.yaml[238-239]
- .tekton/cli-v07-push.yaml[114-117]
- .tekton/cli-v07-push.yaml[237-238]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Unvalidated external task param 🐞 Bug ⛯ Reliability

Description

Both PipelineRuns now pass a new task parameter (ENABLE_CACHE_PROXY) into a pinned,
externally-resolved buildah-oci-ta task bundle. If the pinned bundle digest doesn’t support this
param name, the PipelineRun will be rejected at admission time in the build cluster, but this
mismatch is not caught by this repo’s CI/linting as written.

Code

.tekton/cli-v07-pull-request.yaml[R238-239]

+      - name: ENABLE_CACHE_PROXY
+        value: $(params.enable-cache-proxy)

Evidence

The PipelineRun injects ENABLE_CACHE_PROXY into the build-container task while the task itself is
referenced from an external bundle pinned to a specific digest, and the repo’s lint target only runs
tekton-lint against files under tasks/*/*/*.yaml (not .tekton/*.yaml), so these PipelineRun changes
aren’t validated in CI here.

.tekton/cli-v07-pull-request.yaml[211-250]
.tekton/cli-v07-push.yaml[210-249]
Makefile[196-224]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The PR adds a new task param (`ENABLE_CACHE_PROXY`) passed into an externally-resolved, digest-pinned Tekton task (`buildah-oci-ta`). If the pinned task doesn’t define this param, the PipelineRun will fail when applied in the build cluster. This repo’s CI linting currently does not validate `.tekton/*.yaml`, so such mismatches won’t be caught pre-merge.

### Issue Context
- The PipelineRuns reference tasks via bundle resolvers, so compatibility depends on the exact pinned bundle digests.
- The repository lint target runs `tekton-lint` only for `tasks/*/*/*.yaml`, not PipelineRuns under `.tekton/`.

### Fix Focus Areas
- .tekton/cli-v07-pull-request.yaml[238-247]
- .tekton/cli-v07-push.yaml[237-246]
- Makefile[196-224]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	69.55% <ø> (ø)
integration	69.55% <ø> (ø)
unit	69.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.