It’s easy to modify the tekton file to tag an image with the ‘latest’ tag. There is an ‘apply-tags’ section in the push pipeline, where we can add the following params:

    - name: apply-tags
      params:
      - name: ADDITIONAL_TAGS
        value:
        - latest-rootless

All the images will be tagged with the ‘latest-rootless’ tag.

However, tagging with ‘latest’ label poses risks. There are many texts out there explaining why it’s not a good idea to use fluid tags (Here one of many.). You can never be sure which image version hides under the latest tag, whether it is stable, cannot cause unexpected behavior and lead to unpredictable deployments. It also makes it difficult to roll back to a previous version if anything goes wrong.

I saw two options to pass the version to the konflux build. The Forgejo project uses VERSION file to store the release version, from where it could be retrieved. Another option is to use build-args-file buildah option to pass variables in a file inside the image through the tekton file. This works by adding a build-args-file into the params of the tekton file:

spec:
  params:
  - name: build-args-file:
  value: build-args

The passed file can be of any name and should contain the variable we want to pass inside:

RELEASE_VERSION=v13.0.0-7

Whether it’s going to be ARG or ENV, used only for build-time or in runtime, that’s to be decided in the Containerfile.

We decided to use the VERSION file with the same versioning as in upstream Forgejo and add an extra version number with a dash. So the version format looks like this: 13.0.0-7. Forgejo version - our version.

In tekton files it is possible to run scripts. Claude-4.5-Sonnet helped me generate a script, that reads the content of the VERSION file and tags the image with it.

However, the AI model did not recommend an existing konflux task and had some other inaccuracies, but it gave me a general idea about how it could look like. The run-script-oci-ta task from the konflux-ci repository seemed like a good choice.

The task runs from an image defined in konflux-ci/tekton-catalog and runs the script inside the container built from an image defined in SCRIPT_RUNNER_IMAGE parameter, for which I chose fedora-minimal:42.

It’s necessary to know where the VERSION file will be available inside the container and that is in /var/workdir/source` where our oci-image-definitions repository is copied, and from there the relative path to the VERSION.

It’s important to add also the other required parameters, which are ociStorage and SOURCE_ARTIFACT.

After that it stores any output in the SCRIPT_OUTPUT variable, from where we can recover it and use it as a value in the ADDITIONAL_TAGS section.

For our versioning conventions, we’re adding ‘v’ to the image tag.

The entire task definition looks like this:

    - name: read-version
      params:
      - name: SOURCE_ARTIFACT
        value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
      - name: SCRIPT_RUNNER_IMAGE
        value: quay.io/fedora/fedora-minimal:42
      - name: ociStorage
        value: $(params.output-image).script
      - name: SCRIPT
        value: |
          #!/bin/bash
          set -e
          VERSION=$(cat /var/workdir/source/forgejo/staging/VERSION | tr -d '\n\r')
          echo -n "v$VERSION" | tee "$SCRIPT_OUTPUT"
      runAfter:
      - prefetch-dependencies
      taskRef:
        params:
        - name: name
          value: run-script-oci-ta
        - name: bundle
          value: quay.io/konflux-ci/tekton-catalog/task-run-script-oci-ta:0.1@sha256:834a934f1e631a79aea7f2d001162cf90086e664e648c8ca15b69ad9798571ee
        - name: kind
          value: task
        resolver: bundles
    - name: apply-tags
      params:
      - name: ADDITIONAL_TAGS
        value:
        - $(tasks.read-version.results.SCRIPT_OUTPUT)