task: add short-lived token support in rhacs-* tasks

[rhybrillou]

Changes

Add support for short-lived tokens in rhacs-deployment-check, rhacs-image-check and rhacs-image-scan tasks.

The above three tasks have a new version that can be configured either with authorization using API tokens (similar configuration to 3.71 version of the tasks), or with authorization using short-lived tokens received from the new rhacs-m2m-authenticate task.

Both configuration variants have a sample with the expected Secret, Pipeline and PipelineRun objects.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Follows the authoring recommendations
• Includes docs (if user facing)
• Includes tests (for new tasks or changed functionality)
  • No. Requires external service integration.
  • See the end-to-end testing documentation for guidance and CI details.
• Meets the Tekton contributor standards (including functionality, content, code)
• Commit messages follow commit message best practices
• Has a kind label. You can add one by adding a comment on this PR that
  contains /kind <type>. Valid types are bug, cleanup, design, documentation,
  feature, flake, misc, question, tep
• Complies with Catalog Organization TEP, see example. Note An issue has been filed to automate this validation

  • File path follows <kind>/<name>/<version>/name.yaml

  • Has README.md at <kind>/<name>/<version>/README.md

  • Has mandatory metadata.labels - app.kubernetes.io/version the same as the <version> of the resource

  • Has mandatory metadata.annotations tekton.dev/pipelines.minVersion

  • mandatory spec.description follows the convention

      ```
    
      spec:
        description: >-
          one line summary of the resource
    
          Paragraph(s) to describe the resource.
      ```
    

See the contribution guide for more details.

[tekton-robot]

Hi @rhybrillou. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

Catlin Output

FILE: task/rhacs-deployment-check/4.0/rhacs-deployment-check.yaml
WARN : Step "rox-deploy-check" uses image "$(params.rox_image)" that contains variables; skipping validation
FILE: task/rhacs-image-check/4.0/rhacs-image-check.yaml
WARN : Step "rox-image-check" uses image "$(params.rox_image)" that contains variables; skipping validation
FILE: task/rhacs-image-scan/4.0/rhacs-image-scan.yaml
WARN : Step "rox-image-scan" uses image "$(params.rox_image)" that contains variables; skipping validation
FILE: task/rhacs-m2m-authenticate/0.1/rhacs-m2m-authenticate.yaml

[rhybrillou]

/kind task

[tekton-robot]

@rhybrillou: The label(s) kind/task cannot be applied, because the repository doesn't have them.

In response to this:

/kind task

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rhybrillou]

/kind feature

[vinamra28]

@rhybrillou, will it be possible for you to break the PR into multiple PRs ? 😅

[tekton-robot]

Diff between version and 4.0

diff --git a/task/rhacs-deployment-check/3.71/README.md b/task/rhacs-deployment-check/3.71/README.md
deleted file mode 100644
index a81b495..0000000
--- a/task/rhacs-deployment-check/3.71/README.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# Red Hat Advanced Cluster Security Deployment Check Task
-
-Check a deployment manifest against RHACS deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-<https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes>
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-deployment-check/3.71/raw
-```
-
-## Parameters
-
-- **`deployment`**: Filename of deployment manifest. May be relative to workspace root or fully qualified. (example -- kustomize/overlays/dev/deployment.yaml)
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs of the Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**:  Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-## Workspaces
-
-- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the deployment manifest.
-
-## Usage
-
-Create secrets for authentication to RHACS Central endpoint and supply filesystem path to deployment manifest for checking.
-
-Run this task after rhacs-image-scan to ensure most up to date CVE data for images referenced by the deployment.
-
-If the deployment violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail. 
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
-  --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
-  --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
-  tasks:
-    - name: check-deployment
-    taskRef:
-      name: rhacs-deployment-check
-      kind: Task
-    workspaces:
-    - name: source
-      workspace: shared-workspace
-    params:
-    - name: deployment
-      value: $(params.deployment)
-    runAfter:
-    - fetch-repository
-```
-
-**Samples:**
-
-* [secrets.yaml](samples/secrets.yaml) example secret
-* [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-* [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
-* If the namespace value is not found in the deployment manifest any RHACS policies which are scoped to specific namespaces will not be matched.
\ No newline at end of file
diff --git a/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml b/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml
deleted file mode 100644
index 1ea649a..0000000
--- a/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml
+++ /dev/null
@@ -1,83 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: rhacs-deployment-check
-  labels:
-    app.kubernetes.io/version: "3.71"
-  annotations:
-    tekton.dev/tags: security
-    tekton.dev/categories: Security
-    tekton.dev/displayName: "Policy check a deployment with Red Hat Advanced Cluster Security"
-    tekton.dev/platforms: "linux/amd64"
-    tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
-  description: >-
-    Policy check a deployment with Red Hat Advanced Cluster Security.
-
-    This tasks allows you to check a Kubernetes deployment manifest against policies
-    and apply enforcement to fail pipelines.
-  params:
-    - name: rox_central_endpoint
-      type: string
-      description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
-      default: rox-central-endpoint
-    - name: rox_api_token
-      type: string
-      description: Name of secret containing the RHACS StackRox API token with CI permissions.
-      default: rox-api-token
-    - name: rox_image
-      description: Image providing the roxctl tool.
-      default: quay.io/stackrox-io/roxctl:3.71.0
-    - name: deployment
-      type: string
-      description: |
-        Deployment filename to check.
-        Examples: 'deployment.yaml', '$(workspaces.source.path)/base/deployment.yaml'
-      default: '$(workspaces.source.path)/deployment.yaml'
-    - name: output_format
-      description: Results output format (csv | json | junit | table)
-      type: string
-      default: "table"
-    - name: insecure-skip-tls-verify
-      type: string
-      description: |
-        Do not verify TLS certificates.
-
-        When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
-      default: "false"
-  workspaces:
-    - name: source
-  results:
-    - name: check_output
-      description: Output of `roxctl deployment check`
-  steps:
-    - name: rox-deploy-check
-      image: $(params.rox_image)
-      workingDir: $(workspaces.source.path)
-      env:
-        - name: DEPLOYMENT
-          value: $(params.deployment)
-        - name: HOME
-          value: /tekton/home
-        - name: INSECURE
-          value: $(params.insecure-skip-tls-verify)
-        - name: OUTPUT
-          value: $(params.output_format)
-        - name: ROX_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_api_token)
-              key: rox_api_token
-        - name: ROX_CENTRAL_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_central_endpoint)
-              key: rox_central_endpoint
-      args:
-        - deployment
-        - check
-        - --endpoint=$(ROX_CENTRAL_ENDPOINT)
-        - --insecure-skip-tls-verify=$(INSECURE)
-        - --output=$(OUTPUT)
-        - --file=$(DEPLOYMENT)
\ No newline at end of file
diff --git a/task/rhacs-deployment-check/3.71/samples/pipeline.yaml b/task/rhacs-deployment-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-deployment-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: rox-pipeline
-spec:
-
-  workspaces:
-    - name: shared-workspace
-
-  params:
-    - name: deployment-name
-      type: string
-      description: name of the deployment resource to be patched
-    - name: deployment
-      type: string
-      description: filename of the deployment to be patched
-    - name: git-url
-      type: string
-      description: url of the git repo for the code of deployment
-    - name: git-revision
-      type: string
-      description: revision to be used from repo of the code for deployment
-      default: main
-    - name: IMAGE
-      type: string
-      description: image to be build from the code
-
-  tasks:
-    # checkout source code
-    - name: fetch-repository
-      taskRef:
-        name: git-clone
-        kind: ClusterTask
-      workspaces:
-      - name: output
-        workspace: shared-workspace
-      params:
-      - name: url
-        value: $(params.git-url)
-      - name: subdirectory
-        value: ""
-      - name: deleteExisting
-        value: "true"
-      - name: revision
-        value: $(params.git-revision)
-
-    # validate deployment against defined  RHACS policies
-    - name: police-deployment
-      taskRef:
-        name: rhacs-deployment-check
-        kind: Task
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      params:
-      - name: deployment
-        value: $(params.deployment)
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - fetch-repository
-
-    - name: build-image
-      taskRef:
-        name: buildah
-        kind: ClusterTask
-      params:
-      - name: IMAGE
-        value: $(params.IMAGE)
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      runAfter:
-      - fetch-repository
-
-    # scan image for vulns using RHACS
-    - name: scan-image
-      taskRef:
-        name: rhacs-image-scan
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true" # stackrox to OCP image registry x509 fail...
-      runAfter:
-      - build-image
-
-    # validate image against RHACS policies
-    - name: police-image
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - scan-image
diff --git a/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: rox-api-token
-data:
-  rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
-  rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
-  name: rox-central-endpoint
diff --git a/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
-  name: rox-pipelinerun
-spec:
-  pipelineRef:
-    name: rox-pipeline
-  params:
-  - name: deployment-name
-    value: pipelines-vote-api
-  - name: deployment
-    value: k8s/deployment.yaml
-  - name: git-url
-    value: https://github.com/openshift/pipelines-vote-api.git
-  - name: git-revision
-    value: pipelines-1.7
-  - name: IMAGE
-    value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
-  - name: insecure-skip-tls-verify
-    value: "true"
-  workspaces:
-  - name: shared-workspace
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 500Mi
diff --git a/task/rhacs-deployment-check/OWNERS b/task/rhacs-deployment-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-deployment-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-deployment-check/3.71/samples/secrets.yaml b/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-deployment-check/3.71/samples/secrets.yaml
rename to task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-deployment-check/3.71/samples/pipelinerun.yaml b/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-deployment-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml

[dhaus67]

@vinamra28 I'm working together with @rhybrillou for the series of PRs, so I took the liberty to split them:

• this PR now only contains the updates to rhacs-deployment-check (i.e. a new version).
• task: Add M2M support for rhacs-image-scan #1260 covers the new version for rhacs-image-scan.
• task: Add M2M support for rhacs-image-check #1261 covers the new version for rhacs-image-check.
• task: add rhacs M2M authenticate task #1259 covers the introduction of a new authentication task for all rhacs-* tasks.

Hope this split makes things easier to review!

[khrm]

/ok-to-test

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dhaus67]

/assign vdemeester

[vinamra28]

I guess tekton.dev/v1 was introduced in 0.50.0 can we set that version here? 😅

[vinamra28]

/test pull-catalog-catlin-lint

[tekton-robot]

@vinamra28: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test pull-tekton-catalog-build-tests
• /test pull-tekton-catalog-integration-tests
• /test pull-tekton-catalog-unit-tests

Use /test all to run all jobs.

In response to this:

/test pull-catalog-catlin-lint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

Diff between version and 4.0

diff --git a/task/rhacs-deployment-check/3.71/README.md b/task/rhacs-deployment-check/3.71/README.md
deleted file mode 100644
index a81b495..0000000
--- a/task/rhacs-deployment-check/3.71/README.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# Red Hat Advanced Cluster Security Deployment Check Task
-
-Check a deployment manifest against RHACS deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-<https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes>
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-deployment-check/3.71/raw
-```
-
-## Parameters
-
-- **`deployment`**: Filename of deployment manifest. May be relative to workspace root or fully qualified. (example -- kustomize/overlays/dev/deployment.yaml)
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs of the Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**:  Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-## Workspaces
-
-- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the deployment manifest.
-
-## Usage
-
-Create secrets for authentication to RHACS Central endpoint and supply filesystem path to deployment manifest for checking.
-
-Run this task after rhacs-image-scan to ensure most up to date CVE data for images referenced by the deployment.
-
-If the deployment violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail. 
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
-  --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
-  --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
-  tasks:
-    - name: check-deployment
-    taskRef:
-      name: rhacs-deployment-check
-      kind: Task
-    workspaces:
-    - name: source
-      workspace: shared-workspace
-    params:
-    - name: deployment
-      value: $(params.deployment)
-    runAfter:
-    - fetch-repository
-```
-
-**Samples:**
-
-* [secrets.yaml](samples/secrets.yaml) example secret
-* [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-* [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
-* If the namespace value is not found in the deployment manifest any RHACS policies which are scoped to specific namespaces will not be matched.
\ No newline at end of file
diff --git a/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml b/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml
deleted file mode 100644
index 1ea649a..0000000
--- a/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml
+++ /dev/null
@@ -1,83 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: rhacs-deployment-check
-  labels:
-    app.kubernetes.io/version: "3.71"
-  annotations:
-    tekton.dev/tags: security
-    tekton.dev/categories: Security
-    tekton.dev/displayName: "Policy check a deployment with Red Hat Advanced Cluster Security"
-    tekton.dev/platforms: "linux/amd64"
-    tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
-  description: >-
-    Policy check a deployment with Red Hat Advanced Cluster Security.
-
-    This tasks allows you to check a Kubernetes deployment manifest against policies
-    and apply enforcement to fail pipelines.
-  params:
-    - name: rox_central_endpoint
-      type: string
-      description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
-      default: rox-central-endpoint
-    - name: rox_api_token
-      type: string
-      description: Name of secret containing the RHACS StackRox API token with CI permissions.
-      default: rox-api-token
-    - name: rox_image
-      description: Image providing the roxctl tool.
-      default: quay.io/stackrox-io/roxctl:3.71.0
-    - name: deployment
-      type: string
-      description: |
-        Deployment filename to check.
-        Examples: 'deployment.yaml', '$(workspaces.source.path)/base/deployment.yaml'
-      default: '$(workspaces.source.path)/deployment.yaml'
-    - name: output_format
-      description: Results output format (csv | json | junit | table)
-      type: string
-      default: "table"
-    - name: insecure-skip-tls-verify
-      type: string
-      description: |
-        Do not verify TLS certificates.
-
-        When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
-      default: "false"
-  workspaces:
-    - name: source
-  results:
-    - name: check_output
-      description: Output of `roxctl deployment check`
-  steps:
-    - name: rox-deploy-check
-      image: $(params.rox_image)
-      workingDir: $(workspaces.source.path)
-      env:
-        - name: DEPLOYMENT
-          value: $(params.deployment)
-        - name: HOME
-          value: /tekton/home
-        - name: INSECURE
-          value: $(params.insecure-skip-tls-verify)
-        - name: OUTPUT
-          value: $(params.output_format)
-        - name: ROX_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_api_token)
-              key: rox_api_token
-        - name: ROX_CENTRAL_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_central_endpoint)
-              key: rox_central_endpoint
-      args:
-        - deployment
-        - check
-        - --endpoint=$(ROX_CENTRAL_ENDPOINT)
-        - --insecure-skip-tls-verify=$(INSECURE)
-        - --output=$(OUTPUT)
-        - --file=$(DEPLOYMENT)
\ No newline at end of file
diff --git a/task/rhacs-deployment-check/3.71/samples/pipeline.yaml b/task/rhacs-deployment-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-deployment-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: rox-pipeline
-spec:
-
-  workspaces:
-    - name: shared-workspace
-
-  params:
-    - name: deployment-name
-      type: string
-      description: name of the deployment resource to be patched
-    - name: deployment
-      type: string
-      description: filename of the deployment to be patched
-    - name: git-url
-      type: string
-      description: url of the git repo for the code of deployment
-    - name: git-revision
-      type: string
-      description: revision to be used from repo of the code for deployment
-      default: main
-    - name: IMAGE
-      type: string
-      description: image to be build from the code
-
-  tasks:
-    # checkout source code
-    - name: fetch-repository
-      taskRef:
-        name: git-clone
-        kind: ClusterTask
-      workspaces:
-      - name: output
-        workspace: shared-workspace
-      params:
-      - name: url
-        value: $(params.git-url)
-      - name: subdirectory
-        value: ""
-      - name: deleteExisting
-        value: "true"
-      - name: revision
-        value: $(params.git-revision)
-
-    # validate deployment against defined  RHACS policies
-    - name: police-deployment
-      taskRef:
-        name: rhacs-deployment-check
-        kind: Task
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      params:
-      - name: deployment
-        value: $(params.deployment)
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - fetch-repository
-
-    - name: build-image
-      taskRef:
-        name: buildah
-        kind: ClusterTask
-      params:
-      - name: IMAGE
-        value: $(params.IMAGE)
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      runAfter:
-      - fetch-repository
-
-    # scan image for vulns using RHACS
-    - name: scan-image
-      taskRef:
-        name: rhacs-image-scan
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true" # stackrox to OCP image registry x509 fail...
-      runAfter:
-      - build-image
-
-    # validate image against RHACS policies
-    - name: police-image
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - scan-image
diff --git a/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: rox-api-token
-data:
-  rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
-  rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
-  name: rox-central-endpoint
diff --git a/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
-  name: rox-pipelinerun
-spec:
-  pipelineRef:
-    name: rox-pipeline
-  params:
-  - name: deployment-name
-    value: pipelines-vote-api
-  - name: deployment
-    value: k8s/deployment.yaml
-  - name: git-url
-    value: https://github.com/openshift/pipelines-vote-api.git
-  - name: git-revision
-    value: pipelines-1.7
-  - name: IMAGE
-    value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
-  - name: insecure-skip-tls-verify
-    value: "true"
-  workspaces:
-  - name: shared-workspace
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 500Mi
diff --git a/task/rhacs-deployment-check/OWNERS b/task/rhacs-deployment-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-deployment-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-deployment-check/3.71/samples/secrets.yaml b/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-deployment-check/3.71/samples/secrets.yaml
rename to task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-deployment-check/3.71/samples/pipelinerun.yaml b/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-deployment-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml

[tekton-robot]

Catlin Output

FILE: task/helm-upgrade-from-repo/0.3/helm-upgrade-from-repo.yaml
HINT : Task: tekton.dev/v1beta1 - name: "helm-upgrade-from-repo" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "upgrade-from-repo" uses image "$(params.helm_image)" that contains variables; skipping validation
FILE: task/helm-upgrade-from-source/0.4/helm-upgrade-from-source.yaml
HINT : Task: tekton.dev/v1beta1 - name: "helm-upgrade-from-source" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "upgrade" uses image "$(params.helm_image)" that contains variables; skipping validation
FILE: task/rhacs-deployment-check/4.0/rhacs-deployment-check.yaml

Catlin script lint Output

ERROR: /usr/bin/shellcheck, [-s sh] failed:

In helm-upgrade-from-repo-upgrade-from-repo line 5:
REPO=`echo "$(params.chart_name)" | cut -d "/" -f 1`
     ^-- SC2006 (style): Use $(...) notation instead of legacy backticks `...`.
           ^--------------------^ SC2005 (style): Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.

Did you mean: 
REPO=$(echo "$(params.chart_name)" | cut -d "/" -f 1)


In helm-upgrade-from-repo-upgrade-from-repo line 7:
helm repo add $REPO "$(params.helm_repo)"
              ^---^ SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: 
helm repo add "$REPO" "$(params.helm_repo)"


In helm-upgrade-from-repo-upgrade-from-repo line 11:
helm upgrade --wait --install --namespace "$(params.release_namespace)" $(params.release_name) $(params.chart_name) --debug --set "$(params.overwrite_values)"
                                                                        ^--------------------^ SC2046 (warning): Quote this to prevent word splitting.
                                                                                               ^------------------^ SC2046 (warning): Quote this to prevent word splitting.

For more information:
  https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
  https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
  https://www.shellcheck.net/wiki/SC2005 -- Useless echo? Instead of 'echo $(...

ERROR: /usr/bin/shellcheck, [-s sh] failed:

In helm-upgrade-from-source-upgrade line 6:
helm upgrade --install --wait --values "$(params.charts_dir)/$(params.values_file)" --namespace "$(params.release_namespace)" --version "$(params.release_version)" "$(params.release_name)" "$(params.charts_dir)" --debug --set "$(params.overwrite_values)" $(params.upgrade_extra_params)
                                                                                                                                                                                                                                                               ^----------------------------^ SC2046 (warning): Quote this to prevent word splitting.

For more information:
  https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...

[tekton-robot]

Diff between version and 4.0

diff --git a/task/rhacs-deployment-check/3.71/README.md b/task/rhacs-deployment-check/3.71/README.md
deleted file mode 100644
index a81b495..0000000
--- a/task/rhacs-deployment-check/3.71/README.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# Red Hat Advanced Cluster Security Deployment Check Task
-
-Check a deployment manifest against RHACS deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-<https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes>
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-deployment-check/3.71/raw
-```
-
-## Parameters
-
-- **`deployment`**: Filename of deployment manifest. May be relative to workspace root or fully qualified. (example -- kustomize/overlays/dev/deployment.yaml)
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs of the Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**:  Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-## Workspaces
-
-- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the deployment manifest.
-
-## Usage
-
-Create secrets for authentication to RHACS Central endpoint and supply filesystem path to deployment manifest for checking.
-
-Run this task after rhacs-image-scan to ensure most up to date CVE data for images referenced by the deployment.
-
-If the deployment violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail. 
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
-  --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
-  --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
-  tasks:
-    - name: check-deployment
-    taskRef:
-      name: rhacs-deployment-check
-      kind: Task
-    workspaces:
-    - name: source
-      workspace: shared-workspace
-    params:
-    - name: deployment
-      value: $(params.deployment)
-    runAfter:
-    - fetch-repository
-```
-
-**Samples:**
-
-* [secrets.yaml](samples/secrets.yaml) example secret
-* [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-* [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
-* If the namespace value is not found in the deployment manifest any RHACS policies which are scoped to specific namespaces will not be matched.
\ No newline at end of file
diff --git a/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml b/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml
deleted file mode 100644
index 1ea649a..0000000
--- a/task/rhacs-deployment-check/3.71/rhacs-deployment-check.yaml
+++ /dev/null
@@ -1,83 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: rhacs-deployment-check
-  labels:
-    app.kubernetes.io/version: "3.71"
-  annotations:
-    tekton.dev/tags: security
-    tekton.dev/categories: Security
-    tekton.dev/displayName: "Policy check a deployment with Red Hat Advanced Cluster Security"
-    tekton.dev/platforms: "linux/amd64"
-    tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
-  description: >-
-    Policy check a deployment with Red Hat Advanced Cluster Security.
-
-    This tasks allows you to check a Kubernetes deployment manifest against policies
-    and apply enforcement to fail pipelines.
-  params:
-    - name: rox_central_endpoint
-      type: string
-      description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
-      default: rox-central-endpoint
-    - name: rox_api_token
-      type: string
-      description: Name of secret containing the RHACS StackRox API token with CI permissions.
-      default: rox-api-token
-    - name: rox_image
-      description: Image providing the roxctl tool.
-      default: quay.io/stackrox-io/roxctl:3.71.0
-    - name: deployment
-      type: string
-      description: |
-        Deployment filename to check.
-        Examples: 'deployment.yaml', '$(workspaces.source.path)/base/deployment.yaml'
-      default: '$(workspaces.source.path)/deployment.yaml'
-    - name: output_format
-      description: Results output format (csv | json | junit | table)
-      type: string
-      default: "table"
-    - name: insecure-skip-tls-verify
-      type: string
-      description: |
-        Do not verify TLS certificates.
-
-        When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
-      default: "false"
-  workspaces:
-    - name: source
-  results:
-    - name: check_output
-      description: Output of `roxctl deployment check`
-  steps:
-    - name: rox-deploy-check
-      image: $(params.rox_image)
-      workingDir: $(workspaces.source.path)
-      env:
-        - name: DEPLOYMENT
-          value: $(params.deployment)
-        - name: HOME
-          value: /tekton/home
-        - name: INSECURE
-          value: $(params.insecure-skip-tls-verify)
-        - name: OUTPUT
-          value: $(params.output_format)
-        - name: ROX_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_api_token)
-              key: rox_api_token
-        - name: ROX_CENTRAL_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_central_endpoint)
-              key: rox_central_endpoint
-      args:
-        - deployment
-        - check
-        - --endpoint=$(ROX_CENTRAL_ENDPOINT)
-        - --insecure-skip-tls-verify=$(INSECURE)
-        - --output=$(OUTPUT)
-        - --file=$(DEPLOYMENT)
\ No newline at end of file
diff --git a/task/rhacs-deployment-check/3.71/samples/pipeline.yaml b/task/rhacs-deployment-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-deployment-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: rox-pipeline
-spec:
-
-  workspaces:
-    - name: shared-workspace
-
-  params:
-    - name: deployment-name
-      type: string
-      description: name of the deployment resource to be patched
-    - name: deployment
-      type: string
-      description: filename of the deployment to be patched
-    - name: git-url
-      type: string
-      description: url of the git repo for the code of deployment
-    - name: git-revision
-      type: string
-      description: revision to be used from repo of the code for deployment
-      default: main
-    - name: IMAGE
-      type: string
-      description: image to be build from the code
-
-  tasks:
-    # checkout source code
-    - name: fetch-repository
-      taskRef:
-        name: git-clone
-        kind: ClusterTask
-      workspaces:
-      - name: output
-        workspace: shared-workspace
-      params:
-      - name: url
-        value: $(params.git-url)
-      - name: subdirectory
-        value: ""
-      - name: deleteExisting
-        value: "true"
-      - name: revision
-        value: $(params.git-revision)
-
-    # validate deployment against defined  RHACS policies
-    - name: police-deployment
-      taskRef:
-        name: rhacs-deployment-check
-        kind: Task
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      params:
-      - name: deployment
-        value: $(params.deployment)
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - fetch-repository
-
-    - name: build-image
-      taskRef:
-        name: buildah
-        kind: ClusterTask
-      params:
-      - name: IMAGE
-        value: $(params.IMAGE)
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      runAfter:
-      - fetch-repository
-
-    # scan image for vulns using RHACS
-    - name: scan-image
-      taskRef:
-        name: rhacs-image-scan
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true" # stackrox to OCP image registry x509 fail...
-      runAfter:
-      - build-image
-
-    # validate image against RHACS policies
-    - name: police-image
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - scan-image
diff --git a/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: rox-api-token
-data:
-  rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
-  rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
-  name: rox-central-endpoint
diff --git a/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
-  name: rox-pipelinerun
-spec:
-  pipelineRef:
-    name: rox-pipeline
-  params:
-  - name: deployment-name
-    value: pipelines-vote-api
-  - name: deployment
-    value: k8s/deployment.yaml
-  - name: git-url
-    value: https://github.com/openshift/pipelines-vote-api.git
-  - name: git-revision
-    value: pipelines-1.7
-  - name: IMAGE
-    value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
-  - name: insecure-skip-tls-verify
-    value: "true"
-  workspaces:
-  - name: shared-workspace
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 500Mi
diff --git a/task/rhacs-deployment-check/OWNERS b/task/rhacs-deployment-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-deployment-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-deployment-check/3.71/samples/secrets.yaml b/task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-deployment-check/3.71/samples/secrets.yaml
rename to task/rhacs-deployment-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-deployment-check/3.71/samples/pipelinerun.yaml b/task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-deployment-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-deployment-check/4.0/samples/with-m2m-token/pipelinerun.yaml