feat(ISV-7024): Add when conditions to pipeline tasks

I reviewed the pipeline tasks to figure out if optional tasks can be
skipped using native "when" conditions. In some cases this is
applicable, however there are still limitation where it can't be used.
To document a guidelines I am adding a doc with examples and decision
tree of where the "when" can or can't be used.

Signed-off-by: Ales Raszka <araszka@redhat.com>

Author: Allda

ansible/roles/operator-pipeline/templates/openshift/pipelines/operator-hosted-pipeline.yml

@@ -315,7 +315,8 @@ spec:
       taskRef:
         name: yaml-lint
       when:
-        - input: "$(tasks.detect-changes.results.bundle_path)"
+        - &isBundlePathAvailable
+          input: "$(tasks.detect-changes.results.bundle_path)"
           operator: notin
           values: [""]
       params:
@@ -409,30 +410,12 @@ spec:
           workspace: results
           subPath: summary
 
-    - name: resolve-pr-type
-      taskRef:
-        name: resolve-pr-type
-        kind: Task
-      runAfter:
-        - read-config
-      params:
-        - name: pipeline_image
-          value: "$(params.pipeline_image)"
-        - name: bundle_path
-          value: "$(tasks.detect-changes.results.bundle_path)"
-        - name: affected_catalogs
-          value: "$(tasks.detect-changes.results.affected_catalogs)"
-        - name: affected_catalog_operators
-          value: "$(tasks.detect-changes.results.affected_catalog_operators)"
-        - name: fbc-enabled
-          value: "$(tasks.read-config.results.fbc-enabled)"
-
     - name: validate-catalog-format
       taskRef:
         name: validate-catalog-format
         kind: Task
       runAfter:
-        - resolve-pr-type
+        - read-config
       when:
         - input: "$(tasks.detect-changes.results.added_or_modified_catalogs)"
           operator: notin
@@ -695,6 +678,11 @@ spec:
         - static-tests
       taskRef:
         name: merge-registry-credentials
+      when:
+        - &isCertProjectRequired
+          input: "$(params.cert_project_required)"
+          operator: in
+          values: ["true"]
       params:
         - name: pipeline_image
           value: "$(params.pipeline_image)"
@@ -717,6 +705,8 @@ spec:
         - merge-registry-credentials
       taskRef:
         name: digest-pinning
+      when:
+        - *isCertProjectRequired
       params:
         - name: pipeline_image
           value: "$(params.pipeline_image)"
@@ -732,26 +722,15 @@ spec:
         - name: registry-credentials
           workspace: registry-credentials-all
 
-    - name: verify-pinned-digest
-      runAfter:
-        - digest-pinning
-      taskRef:
-        name: verify-pinned-digest
-      params:
-        - name: dirty_flag
-          value: "$(tasks.digest-pinning.results.dirty_flag)"
-        - name: related_images_flag
-          value: "$(tasks.digest-pinning.results.related_images_flag)"
-        - name: related_images_message
-          value: "$(tasks.digest-pinning.results.related_images_message)"
-
     # Build images- bundle and index and push them to registry.
     # Those steps are also a part of the CI pipeline.
     - name: dockerfile-creation
       runAfter:
-        - verify-pinned-digest
+        - digest-pinning
       taskRef:
         name: dockerfile-creation
+      when:
+        - *isBundlePathAvailable
       params:
         - name: pipeline_image
           value: "$(params.pipeline_image)"
@@ -771,6 +750,8 @@ spec:
       taskRef:
         name: buildah
         kind: Task
+      when:
+        - *isBundlePathAvailable
       params:
         - name: IMAGE
           value: &bundleImage "$(params.registry)/$(params.image_namespace)/$(tasks.detect-changes.results.added_operator):$(tasks.detect-changes.results.added_bundle)"
@@ -1172,6 +1153,10 @@ spec:
         - get-ci-results
       taskRef:
         name: link-pull-request
+      when:
+        - input: "$(tasks.get-ci-results.results.test_result_id)"
+          operator: notin
+          values: [""]
       params:
         - name: pipeline_image
           value: "$(params.pipeline_image)"
@@ -1197,9 +1182,7 @@ spec:
       taskRef:
         name: query-publishing-checklist
       when:
-        - input: "$(tasks.certification-project-check.results.certification_project_id)"
-          operator: "notin"
-          values: [""]
+        - *certProjectExists
         - input: "$(tasks.detect-changes.results.affected_catalogs)"
           operator: in
           values: [""]
@@ -1293,6 +1276,9 @@ spec:
         - input: $(tasks.merge-pr.results.pr_merged)
           operator: in
           values: ["true"]
+        - input: $(tasks.get-ci-results.results.test_result_id)
+          operator: notin
+          values: [""]
       taskRef:
         name: link-pull-request
       params:

ansible/roles/operator-pipeline/templates/openshift/tasks/digest-pinning.yml

@@ -12,6 +12,9 @@ spec:
     - name: digest_pinning_tool_image
       description: Digest pinning tool image
       default: "quay.io/redhat-isv/digest-pinning-tool@sha256:7e9dd84000e597e5591d94e791e7c0be1f1efe7e60ab915b200c5c0dff2fa6ba"
+    - name: enforce_pinning
+      description: A flag to enforce digest pinning
+      default: "true"
   results:
     - name: dirty_flag
     - name: related_images_flag
@@ -104,6 +107,10 @@ spec:
         if [[ $REPLACEMENT_COUNT -gt 0 ]]; then
           echo "Manifests were not pinned."
           echo -n "true" | tee $(results.dirty_flag.path)
+          if  [[ "$(params.enforce_pinning)" == "true" ]]; then
+            echo "Digest pinning is enforced. Failing the task."
+            exit 1
+          fi
         else
           echo "Manifests are pinned."
           echo -n "false" | tee $(results.dirty_flag.path)
@@ -135,13 +142,20 @@ spec:
         CSVFILE=$(find $BUNDLE_PATH -name "*clusterserviceversion.yaml" -o -name "*clusterserviceversion.yml")
         RELATED_IMAGE_COUNT=$(yq -e '.spec.relatedImages | length' $CSVFILE)
 
+        PASS=true
         if [[ $RELATED_IMAGE_COUNT -ge $REFERENCE_COUNT ]]; then
           echo -n "Related images section exists." | tee $(results.related_images_message.path)
-          echo -n "true" | tee $(results.related_images_flag.path)
-        elif [[ $RELATED_IMAGE_COUNT -lt $REFERENCE_COUNT && $RELATED_IMAGE_COUNT -gt 0 ]]; then
+        elif [[ $RELATED_IMAGE_COUNT -gt 0 ]]; then
           echo -n "The relatedImages section in your CSV covers only $RELATED_IMAGE_COUNT of the $REFERENCE_COUNT images detected in your CSV." | tee $(results.related_images_message.path)
-          echo -n "false" | tee $(results.related_images_flag.path)
+          PASS=false
         else
           echo -n "The relatedImages section is missing from the CSV" | tee $(results.related_images_message.path)
-          echo -n "false" | tee $(results.related_images_flag.path)
+          PASS=false
+        fi
+
+        echo -n "$PASS" | tee $(results.related_images_flag.path)
+
+        if [[ "$PASS" == "false" && "$(params.enforce_pinning)" == "true" ]]; then
+          echo "Digest pinning is enforced. Failing the task."
+          exit 1
         fi

docs/tekton-when-condition-guidelines.md

@@ -0,0 +1,182 @@
+# Guidelines for Using Tekton `when` Conditions
+
+This document defines when pipeline-level `when` conditions can and cannot be used in this
+project's Tekton pipelines. These rules exist because a skipped task still participates in the
+pipeline graph: its results become empty strings, `runAfter` dependents still execute, and any
+downstream task that consumes those empty results may silently misbehave or fail.
+
+---
+
+## Rules at a Glance
+
+| Scenario                                                                                                                     | Allowed |
+| ---------------------------------------------------------------------------------------------------------------------------- | ------- |
+| Task has no downstream dependents                                                                                            | ✅ Yes   |
+| `when` input is a pipeline parameter                                                                                         | ✅ Yes   |
+| `when` input is a task result, the source task cannot be skipped, AND the guarded task has no task results in its own params | ✅ Yes   |
+| `when` input is a task result AND the source task can itself be skipped                                                      | ❌ No    |
+| `when` input is a task result AND the guarded task also consumes task results in its params                                  | ❌ No    |
+
+---
+
+## Rule 1 — No downstream dependents
+
+A `when` condition is always safe when no other task depends on the guarded task's results or
+uses it in a `runAfter` chain. There is no cascading effect if the task is skipped.
+
+```yaml
+# Safe: nothing downstream reads this task's results
+- name: notify-slack
+  taskRef:
+    name: send-slack-notification
+  when:
+    - input: $(tasks.check.results.failed)
+      operator: in
+      values: ["true"]
+  params:
+    - name: message
+      value: "Pipeline failed"
+```
+
+---
+
+## Rule 2 — `when` input is a pipeline parameter
+
+Using a pipeline parameter as the `when` condition input is always safe. Pipeline parameters are
+resolved before any task runs and are guaranteed to be non-empty (or have a known default). No
+task result propagation is involved.
+
+```yaml
+# Safe: condition is a pipeline param, not a task result
+- name: publish-pyxis-data
+  taskRef:
+    name: publish-pyxis-data
+  when:
+    - input: $(params.cert_project_required)
+      operator: in
+      values: ["true"]
+  params:
+    - name: cert_project_id
+      value: $(params.cert_project_id)
+```
+
+---
+
+## Rule 3 — `when` input is a task result, source task cannot be skipped, guarded task has no task results in params
+
+A task result can be used as a `when` condition input when **all three** of the following hold:
+
+1. The task that produces the result **cannot itself be skipped** — it has no `when` condition and
+   always runs. If the source task can be skipped, its result becomes an empty string, making the
+   `when` condition unreliable (it may silently evaluate as if the condition were false, with no
+   indication that the source task was skipped rather than producing a genuine empty value).
+2. The guarded task's own params **contain no task results** — all param values come from pipeline
+   parameters, literal strings, or workspace references.
+3. Downstream tasks that receive the guarded task's results must already handle empty values (via
+   their own `when` conditions or inner script guards), since a skipped task's results become empty
+   strings.
+
+```yaml
+# NOT allowed: source task (some-upstream-task) has its own when condition and can be skipped.
+# If it is skipped, its result is "", and the when condition below becomes meaningless.
+- name: some-upstream-task
+  when:
+    - input: $(params.flag)
+      operator: in
+      values: ["true"]
+  ...
+
+- name: guarded-task
+  when:
+    - input: $(tasks.some-upstream-task.results.value)  # ❌ source can be skipped
+      operator: notin
+      values: [""]
+  ...
+```
+
+```yaml
+# Safe: when uses a task result, source task always runs (no when condition), guarded task
+# params are all pipeline params
+- name: link-pull-request-with-open-status
+  taskRef:
+    name: link-pull-request
+  when:
+    - input: $(tasks.get-ci-results.results.test_result_id)  # get-ci-results always runs ✓
+      operator: notin
+      values: [""]
+  params:
+    - name: pipeline_image
+      value: $(params.pipeline_image)   # pipeline param — OK
+    - name: pyxis_url
+      value: $(params.pyxis_url)        # pipeline param — OK
+```
+
+---
+
+## Rule 4 — `when` input is a task result, guarded task also consumes task results in params ❌
+
+This combination is **not allowed**. When the `when` condition is based on a task result and the
+guarded task also consumes task results in its own params, skipping the task creates an ambiguous
+state in the result propagation chain:
+
+1. The upstream tasks that produced the param results ran and completed.
+2. The guarded task is skipped — those results are not consumed and not transformed.
+3. Any downstream task expecting the guarded task's output receives empty strings, with no clear
+   signal about whether the skip was intentional.
+
+This makes the pipeline hard to reason about and can cause silent failures downstream.
+
+```yaml
+# NOT allowed: when uses a task result, AND params also reference task results
+- name: get-pyxis-certification-data
+  taskRef:
+    name: get-pyxis-certification-data
+  when:
+    - input: $(tasks.certification-project-check.results.certification_project_id)  # task result
+      operator: notin
+      values: [""]
+  params:
+    - name: cert_project_id
+      value: $(tasks.certification-project-check.results.certification_project_id)  # also task result ❌
+    - name: pyxis_url
+      value: $(tasks.set-env.results.pyxis_url)                                     # also task result ❌
+```
+
+**How to fix this:** instead, add an inner guard in the task script and rely on the task's own
+early-exit logic to handle the empty-input case, as was the established workaround pattern in
+this project.
+
+```bash
+# In the task script — guard against empty cert_project_id at the script level
+if [ "$(params.cert_project_id)" == "" ]; then
+  echo -n | tee "$(results.foo.path)"
+  exit 0
+fi
+```
+
+---
+
+## Summary Decision Tree
+
+```
+Is the task being considered for a when condition?
+│
+├── Does it have no downstream dependents?
+│   └── YES → ✅ Use when condition freely
+│
+├── Is the when condition input a pipeline parameter?
+│   └── YES → ✅ Use when condition freely
+│
+└── Is the when condition input a task result?
+    │
+    ├── Can the source task itself be skipped (does it have a when condition)?
+    │   └── YES → ❌ Do NOT use when condition
+    │               Use an inner script guard (exit 0) instead
+    │
+    └── Does the guarded task's params contain any task results?
+        ├── NO  → ✅ Use when condition (self-contained skip)
+        └── YES → ❌ Do NOT use when condition
+                    Use an inner script guard (exit 0) instead
+```
+
+---