PAC Resolver
This guide is for regular users to use PAC resolver for automatically resolving and embedding tasks and pipelines from local repositories, Tekton Hub, and remote URLs.
This guide explains how to use the Pipelines as Code (PAC) resolver to automatically resolve and embed tasks and pipelines from three sources: local tasks defined in your repository, remote tasks from Tekton Hub, and tasks from remote Git repositories or HTTP URLs.
TOC
Prerequisites
- PAC component deployed and running
- A Repository CR configured (see Configure Repository)
- Understanding of Tekton PipelineRun structure
About PAC Resolver
The PAC resolver automatically fetches and embeds remote tasks and pipelines into your PipelineRun definitions. This eliminates the need to manually define tasks or use resolver syntax in your pipeline code.
When PAC resolves a task from Tekton Hub:
- PAC fetches the task definition (YAML) from the Hub
- PAC converts
taskReftotaskSpecand embeds the task definition inline within your PipelineRun - The embedded task becomes part of the PipelineRun definition
- The task doesn't need to exist as a separate Task resource in your cluster
This means you can use tasks from Tekton Hub without manually copying their definitions or creating Task resources in your cluster.
Supported Sources
- Local Tasks: Tasks defined in your Git repository (using taskSpec or resolver syntax)
- Tekton Hub: Tasks and pipelines from the Tekton Hub catalog
- Remote URLs: Tasks and pipelines from remote Git repositories or HTTP URLs
Official Documentation
For comprehensive information about Pipelines as Code remote resolution features, refer to:
How PAC Resolver Works
Understanding the resolver workflow helps you troubleshoot issues and optimize your pipeline configurations.
Resolver Workflow
When PAC processes a PipelineRun with resolver annotations, it follows these steps:
- Event Trigger: Git event (push, pull request, etc.) triggers PAC controller
- Pipeline Fetch: PAC controller fetches the PipelineRun definition from your Git repository
- Annotation Detection: PAC controller scans annotations for resolver directives:
pipelinesascode.tekton.dev/task: "task-name"pipelinesascode.tekton.dev/task-1: "task-name"pipelinesascode.tekton.dev/pipeline: "pipeline-name"
- Task Resolution: For each task annotation:
- PAC controller queries Tekton Hub API (or configured hub URL)
- Fetches the task definition (YAML)
- Validates the task structure
- Task Embedding: PAC embeds the resolved task definitions into the PipelineRun:
- PAC converts
taskReftotaskSpecand embeds the task definition inline within each task entry - The embedded task becomes part of the PipelineRun definition, so it doesn't need to exist as a separate Task resource in the cluster
- PAC converts
- PipelineRun Creation: PAC creates the final PipelineRun with embedded tasks in Kubernetes
- Execution: Tekton Pipeline controller picks up the PipelineRun and executes it
Detailed Example: Step-by-Step Resolution
Let's trace through a complete example to see how resolver works:
Step 1: Original PipelineRun Definition
You define a PipelineRun in your repository (.tekton/pipelinerun.yaml):
Step 2: PAC Controller Processes Annotations
When a push event occurs, PAC controller:
-
Reads the PipelineRun from Git: PAC fetches the
.tekton/pipelinerun.yamlfile from the repository -
Detects the annotation: PAC scans for task annotations like
pipelinesascode.tekton.dev/task: "git-clone" -
Parses task name and version:
- Task name only (e.g.,
"git-clone"): Fetches the latest version from Hub - With version (e.g.,
"git-clone:0.1"): Fetches the specified version - Version selection:
- No version specified → PAC queries Hub for the latest stable version
- Version specified (format:
task-name:version) → PAC fetches that exact version - Version format follows semantic versioning (e.g.,
0.1,0.9,1.2.3)
- Task name only (e.g.,
-
Queries Tekton Hub API:
- Hub URL: Defaults to cluster-internal Hub (
http://tekton-hub-api.tekton-pipelines:8000/v1) or public Hub (https://api.hub.tekton.dev/v1) - Query for latest: PAC queries Hub for the latest available version
- Query for specific version: PAC requests the exact version specified in the annotation
- Example queries:
- Latest:
"git-clone"→ Hub returns the newest version - Specific:
"git-clone:0.1"→ Hub returns version 0.1
- Latest:
- Hub URL: Defaults to cluster-internal Hub (
-
Receives task definition from Hub: Hub returns the complete Task YAML:
Version Selection Best Practices:
- Production environments: Specify exact versions (e.g.,
"git-clone:0.1") for reproducibility and stability - Development/testing: Use latest version (no version suffix) to get new features and bug fixes automatically
- Version pinning: Always pin to specific versions in production to avoid breaking changes from Hub updates
- Version updates: Periodically review and update pinned versions in a controlled manner
Step 3: PAC Embeds Task into PipelineRun
PAC modifies the PipelineRun by converting taskRef to taskSpec and embedding the resolved task definition:
Step 4: PipelineRun Created in Kubernetes
PAC creates the final PipelineRun in your cluster. You can verify it:
Example output (abbreviated, showing embedded task):
Resolver Timing
Important: Task resolution happens before the PipelineRun is created in Kubernetes. This means:
- Tasks are resolved at pipeline definition time, not at execution time
- If a task cannot be resolved, the PipelineRun creation will fail
- You can verify task resolution by checking the PipelineRun YAML in Kubernetes
- Resolved tasks are cached by PAC for performance
Verifying Task Resolution
To verify that tasks were resolved correctly:
-
Check PipelineRun in Kubernetes:
Look for embedded tasks with taskSpec within individual tasks:
PAC embeds resolved tasks by converting taskRef to taskSpec within individual tasks. The task definition is embedded inline as part of the PipelineRun, following standard Tekton syntax.
-
Check PAC Controller Logs:
Example output (showing task resolution):
-
Verify task is referenced correctly:
Example output:
-
Check if PipelineRun was created successfully:
Example output:
If task resolution failed, the PipelineRun may not be created, or it will have a Failed condition with an error message.
Using Local Tasks
Local tasks are tasks defined directly in your Git repository. PAC supports two ways to use local tasks:
Inline Task Definition (taskSpec)
You can define tasks directly in your PipelineRun using taskSpec:
How it works:
- Tasks are defined inline using
taskSpecwithin each task in the pipeline - No external resolution is needed - tasks are part of the PipelineRun definition
- Useful for simple, repository-specific tasks
Referencing Task Files in Repository
You can reference task files stored in your repository using PAC annotations with the special syntax for tasks within the repository.
Important: For tasks in your repository, use the annotation format with pipelinesascode.tekton.dev/task or pipelinesascode.tekton.dev/task-<N> annotations.
Repository structure:
PipelineRun definition using PAC annotations:
How it works:
- PAC automatically resolves and embeds tasks from your repository when you use relative paths in task annotations
- The task name in
taskRef.nameshould match the task name defined in the YAML file - This method is simpler than using
resolver: gitsyntax and is the recommended approach for PAC
When to Use Local Tasks
Use local tasks when:
- Tasks are specific to your project and not suitable for sharing
- You need full control over task definitions and versions
- Tasks change frequently with your codebase
- You want to keep tasks and pipelines together in version control
Using Remote Task Annotations
You can use PAC annotations to reference remote tasks from Tekton Hub or remote HTTP URLs. PAC will automatically fetch and embed these tasks into your PipelineRun.
Remote Tasks from Tekton Hub
Reference a single task from Tekton Hub:
How it works:
- The annotation
pipelinesascode.tekton.dev/task: "git-clone"tells PAC to fetch thegit-clonetask from Tekton Hub - PAC automatically embeds the task definition into your PipelineRun
- You can then reference it using
taskRef.name: git-clone
Remote Tasks from HTTP URLs
You can also reference tasks from remote HTTP URLs:
How it works:
- PAC fetches the task definition from the specified HTTP URL
- PAC automatically embeds the task into your PipelineRun
- The task name in
taskRef.nameshould match the task name defined in the remote YAML file
Multiple Task Annotations
Reference multiple tasks using numbered annotations:
Task List Syntax
You can also use bracket syntax to specify multiple tasks in a single annotation:
This is equivalent to:
Task Version Specification
By default, PAC fetches the latest version of a task from Hub. To specify a specific version, use the format task-name:version.
Reference: For more details on remote task resolution, see Red Hat OpenShift Pipelines as Code documentation.
Latest version (recommended for development):
Specific version (recommended for production):
Multiple tasks with versions:
Custom Hub URL
The default hub-url points to the cluster-internal Tekton Hub service in the default namespace (http://tekton-hub-api.tekton-pipelines:8000/v1). If Tekton Hub is deployed in a different namespace, adjust the namespace in the URL accordingly. If you need to use a different Hub instance, configure it in the OpenShiftPipelinesAsCode CR:
Note: Only the PAC controller needs access to the Hub URL. If using a cluster-internal Hub, ensure the PAC controller can reach the Hub service.
Using Remote Pipeline Annotations
Remote pipeline annotations are rarely used in practice. Most users define pipelines inline using pipelineSpec rather than referencing remote pipelines. This section is included for completeness.
You can reference remote pipelines from Tekton Hub, though this is less common than using inline pipeline definitions:
How it works:
- The annotation
pipelinesascode.tekton.dev/pipeline: "pipeline-name"tells PAC to fetch the pipeline from Tekton Hub - PAC automatically embeds the pipeline definition
- You reference it using
pipelineRef.name
Note: In most cases, you should define your pipeline inline using pipelineSpec in your repository, rather than using remote pipelines. This gives you better version control and visibility of your pipeline definitions.
Combining Remote Tasks and Pipelines
Comparison with Resolver Syntax
PAC annotations provide a simpler alternative to Tekton's resolver syntax:
Using PAC Annotations (Recommended)
Using Resolver Syntax
Advantages of PAC annotations:
- Simpler syntax
- Automatic task embedding
- No need to specify resolver parameters
- Works seamlessly with PAC's task resolution
Troubleshooting
Task Not Found
-
Verify task name: Check that the task name is correct in Tekton Hub
-
Check Hub URL: Verify the hub URL is configured correctly
-
Review PAC logs:
Example output:
Task Resolution Fails
-
Check network connectivity: Ensure PAC controller can reach Tekton Hub
Example output (if accessible):
-
Verify Hub configuration: Check the
hub-urlsetting inOpenShiftPipelinesAsCodeCR
Example output:
-
Review task version: Ensure the specified version exists
Example output (abbreviated):
Task Not Embedded
- Verify annotation syntax: Check annotation key and value format
- Check PipelineRun: Ensure
taskRef.namematches the task name in annotation - Review PAC controller logs for embedding errors
Next Steps
- Maintain Pipeline Code - Pipeline definition guide
- Advanced Repository Configuration - Advanced Repository CR settings
- Manage PipelineRuns - PipelineRun management
- Common Issues - Troubleshooting guide