validatedpatterns · minmzzhang · May 20, 2026 · May 27, 2026 · May 28, 2026 · May 28, 2026
diff --git a/charts/supply-chain/templates/pipeline-qtodo.yaml b/charts/supply-chain/templates/pipeline-qtodo.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
   name: qtodo-supply-chain
@@ -8,12 +8,20 @@ spec:
   params:
     - name: git-url
       type: string
-      description: The URL of the public Github qtodo repository
+      description: The URL of the qtodo repository (public or protected)
       default: {{ .Values.qtodo.repository | quote }}
     - name: git-revision
       type: string
-      description: The revision of the public Github qtodo repository
+      description: The revision of the qtodo repository
       default: {{ .Values.qtodo.revision }}
+    - name: rebuild
+      type: string
+      description: Force rebuild the image even if it already exists
+      default: "false"
+    - name: skip-checks
+      type: string
+      description: Skip pre-build checks against existing image
+      default: "false"
     - name: qtodo-build-cmd
       type: string
       description: The command to build the qtodo artifact
@@ -100,9 +108,44 @@ spec:
   workspaces:
     - name: qtodo-source
     - name: registry-auth-config
+    - name: git-auth
+      optional: true
+
+  results:
+    - name: CHAINS-GIT_URL
+      description: The git URL used for the build (Tekton Chains provenance)
+      value: $(tasks.qtodo-clone-repository.results.URL)
+    - name: CHAINS-GIT_COMMIT
+      description: The git commit SHA used for the build (Tekton Chains provenance)
+      value: $(tasks.qtodo-clone-repository.results.COMMIT)
+    - name: IMAGE_URL
+      description: The image URL built by the pipeline (Tekton Chains provenance)
+      value: $(tasks.qtodo-build-image.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      description: The image digest built by the pipeline (Tekton Chains provenance)
+      value: $(tasks.qtodo-build-image.results.IMAGE_DIGEST)
 
   tasks:
+    - name: init
+      taskRef:
+        name: init
+        kind: Task
+      params:
+        - name: image-url
+          value: $(params.image-target)
+        - name: rebuild
+          value: $(params.rebuild)
+        - name: skip-checks
+          value: $(params.skip-checks)
+
     - name: qtodo-clone-repository
+      runAfter:
+        - init
+      when:
+        - input: $(tasks.init.results.build)
+          operator: in
+          values:
+            - "true"
       taskRef:
         resolver: cluster
         params:
@@ -120,6 +163,13 @@ spec:
       workspaces:
         - name: output
           workspace: qtodo-source
+{{- if eq (default "https" .Values.git.credentials.authType) "ssh" }}
+        - name: ssh-directory
+          workspace: git-auth
+{{- else }}
+        - name: basic-auth
+          workspace: git-auth
+{{- end }}
 
     - name: qtodo-build-artifact
       runAfter:

diff --git a/charts/supply-chain/templates/pipelinerun-qtodo.yaml b/charts/supply-chain/templates/pipelinerun-qtodo.yaml
@@ -92,7 +92,7 @@ spec:
           fi
 
           cat <<'MANIFEST' | oc create -f -
-          apiVersion: tekton.dev/v1beta1
+          apiVersion: tekton.dev/v1
           kind: PipelineRun
           metadata:
             generateName: qtodo-supply-chain-

diff --git a/charts/supply-chain/templates/rbac/pipeline-sa.yaml b/charts/supply-chain/templates/rbac/pipeline-sa.yaml
@@ -10,4 +10,7 @@ metadata:
     argocd.argoproj.io/compare-options: IgnoreExtraneous
     argocd.argoproj.io/syncOptions: ServerSideApply=true
 secrets:
-  - name: qtodo-registry-auth
+  - name: qtodo-registry-auth
+{{- if .Values.git.credentials.enabled }}
+  - name: qtodo-git-credentials
+{{- end }}
diff --git a/charts/supply-chain/templates/rbac/registry-token-refresher.yaml b/charts/supply-chain/templates/rbac/registry-token-refresher.yaml
@@ -72,6 +72,9 @@ spec:
     spec:
       backoffLimit: 3
       template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: registry-token-refresher
         spec:
           serviceAccountName: {{ .Values.pipelineServiceAccount }}
           restartPolicy: Never

diff --git a/charts/supply-chain/templates/secrets/qtodo-git-credentials.yaml b/charts/supply-chain/templates/secrets/qtodo-git-credentials.yaml
@@ -0,0 +1,58 @@
+{{- if .Values.git.credentials.enabled }}
+{{- $authType := .Values.git.credentials.authType | default "https" }}
+{{- $host := .Values.git.credentials.host }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: qtodo-git-credentials
+  namespace: {{ .Release.Namespace | default .Values.global.namespace }}
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.name }}
+    kind: {{ .Values.global.secretStore.kind }}
+  target:
+    name: qtodo-git-credentials
+    template:
+{{- if eq $authType "ssh" }}
+      type: kubernetes.io/ssh-auth
+      metadata:
+        annotations:
+          tekton.dev/git-0: {{ $host | quote }}
+      data:
+        ssh-privatekey: {{ printf "{{ index . \"%s\" }}" .Values.git.credentials.sshPrivateKeyKey | quote }}
+        known_hosts: {{ printf "{{ index . \"%s\" }}" .Values.git.credentials.knownHostsKey | quote }}
+  data:
+    - secretKey: {{ .Values.git.credentials.sshPrivateKeyKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ .Values.git.credentials.sshPrivateKeyKey }}
+    - secretKey: {{ .Values.git.credentials.knownHostsKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ .Values.git.credentials.knownHostsKey }}
+{{- else }}
+{{- $hostBare := $host | trimPrefix "https://" | trimPrefix "http://" }}
+{{- $userKey := .Values.git.credentials.usernameKey }}
+{{- $passKey := .Values.git.credentials.passwordKey }}
+      type: Opaque
+      metadata:
+        annotations:
+          tekton.dev/git-0: {{ $host | quote }}
+      data:
+        .gitconfig: |
+          [credential "{{ $host }}"]
+            helper = store
+        .git-credentials: {{ printf "https://{{ .%s }}:{{ .%s | trim }}@%s" $userKey $passKey $hostBare | quote }}
+  data:
+    - secretKey: {{ $userKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ $userKey }}
+    - secretKey: {{ $passKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ $passKey }}
+{{- end }}
+{{- end }}
diff --git a/charts/supply-chain/templates/tasks/build-artifact.yaml b/charts/supply-chain/templates/tasks/build-artifact.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-build-artifact

diff --git a/charts/supply-chain/templates/tasks/generate-sbom.yaml b/charts/supply-chain/templates/tasks/generate-sbom.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-generate-sbom

diff --git a/charts/supply-chain/templates/tasks/init.yaml b/charts/supply-chain/templates/tasks/init.yaml
@@ -0,0 +1,55 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "supply-chain"
+  name: init
+  namespace: {{ .Values.global.namespace }}
+spec:
+  description: >-
+    Initialize Pipeline Task. Determines whether the image should be built
+    by checking if the target image already exists in the registry.
+    Supports rebuild and skip-checks flags.
+  params:
+    - name: image-url
+      description: Image URL for build by PipelineRun
+    - name: rebuild
+      description: Rebuild the image even if it exists
+      default: "false"
+    - name: skip-checks
+      description: Skip checks against built image
+      default: "false"
+  results:
+    - name: build
+      description: Defines if the image in param image-url should be built
+  steps:
+    - name: init
+      image: {{ .Values.tasks.images.skopeo }}
+      computeResources:
+        limits:
+          memory: 256Mi
+        requests:
+          memory: 256Mi
+          cpu: 100m
+      env:
+        - name: IMAGE_URL
+          value: $(params.image-url)
+        - name: REBUILD
+          value: $(params.rebuild)
+        - name: SKIP_CHECKS
+          value: $(params.skip-checks)
+      script: |
+        #!/bin/bash
+        echo "Build Initialize: $IMAGE_URL"
+        echo
+
+        echo "Determine if Image Already Exists"
+        if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! skopeo inspect --no-tags --raw "docker://$IMAGE_URL" &>/dev/null; then
+          echo -n "true" > $(results.build.path)
+        else
+          echo -n "false" > $(results.build.path)
+        fi
diff --git a/charts/supply-chain/templates/tasks/restart-qtodo.yaml b/charts/supply-chain/templates/tasks/restart-qtodo.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: restart-qtodo

diff --git a/charts/supply-chain/templates/tasks/sbom-attest.yaml b/charts/supply-chain/templates/tasks/sbom-attest.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-sbom-attestation

diff --git a/charts/supply-chain/templates/tasks/sign-artifact.yaml b/charts/supply-chain/templates/tasks/sign-artifact.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-sign-artifact

diff --git a/charts/supply-chain/templates/tasks/sign-image.yaml b/charts/supply-chain/templates/tasks/sign-image.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-sign-image

diff --git a/charts/supply-chain/templates/tasks/upload-sbom.yaml b/charts/supply-chain/templates/tasks/upload-sbom.yaml
@@ -1,6 +1,6 @@
 {{- if eq .Values.rhtpa.enabled true }}
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-upload-sbom

diff --git a/charts/supply-chain/templates/tasks/verify-artifact.yaml b/charts/supply-chain/templates/tasks/verify-artifact.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-verify-artifact

diff --git a/charts/supply-chain/templates/tasks/verify-image.yaml b/charts/supply-chain/templates/tasks/verify-image.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-verify-image

diff --git a/charts/supply-chain/values.yaml b/charts/supply-chain/values.yaml
@@ -40,6 +40,18 @@ rhtpa:
     clientSecretVaultPath: "secret/data/hub/infra/rhtpa/rhtpa-oidc-cli"
     clientSecretVaultKey: "client-secret"
 
+# git credentials for protected repositories
+git:
+  credentials:
+    enabled: false
+    authType: "https"
+    host: "https://github.com"
+    vaultPath: "secret/data/hub/supply-chain/git-credentials"
+    usernameKey: "username"
+    passwordKey: "password"
+    sshPrivateKeyKey: "ssh-privatekey"
+    knownHostsKey: "known_hosts"
+
 # qtodo repository configuration
 qtodo:
   repository: "https://github.com/validatedpatterns-demos/qtodo.git"
@@ -145,3 +157,4 @@ tasks:
     mandrel: "registry.redhat.io/quarkus/mandrel-for-jdk-21-rhel8:23.1-36"
     syft: "registry.redhat.io/rh-syft-tech-preview/syft-rhel9:1.29.0"
     rhtpa: "registry.access.redhat.com/ubi9/ubi:9.7-1764794285"
+    skopeo: "registry.access.redhat.com/ubi9/skopeo:9.5-1745865345@sha256:d91eb0dac7308ddfb12193368a42009509925edba80da9ffd3b82d03427dc3ed"