Access reason from the execution status of a taskRun in finally

[pritidesai]

Feature request

A finally task can access both the reason and status of a pipelineTask from the tasks section.

Use case

• Perform a range of tests (such as static scans, unit tests, dynamic scans, compliance checks, etc.) within a pipeline. Upload the results of all scans and return a failure if any mandatory scans are unsuccessful.

When these tests are executed as part of a task called checks, compliance checks must pass in prod but can be ignored in dev mode. While the finally task can access the status of the checks, it cannot distinguish between modes or decide whether to report a failure.

Running checks with onError set to continue in dev mode can report success. In this context, success means informing the developer about the failed checks but not preventing the code from being merged into the dev branch.

Running checks with onError set to stopAndFail in prod mode must report failure. This means notifying both the developer and the release manager about the failed checks and preventing the code from being merged into the prod branch.

When onError is set to either continue or stopAndFail and the task fails, the status remains Failed, making it indistinguishable whether the failure was allowed or not. However, when onError is set to continue, the reason is assigned FailureIgnored. This additional information can be used to identify that the checks failed, but the failure can be ignored.

When designing the onError feature at the step level, the step exit code is made available to subsequent steps. Similarly, we are seeking a method to classify a task that failed but had FailureIgnored.

A sample finally task:

    finally:
      - name: finish
        params:
          - name: echo-continue-task-status
            value: $(tasks.echo-continue.status)
          - name: echo-fail-task-status
            value: $(tasks.echo-fail.status)
          - name: echo-continue-task-reason
            value: $(tasks.echo-continue.reason)
          - name: echo-fail-task-reason
            value: $(tasks.echo-fail.reason)
        taskSpec:
          steps:
            - name: check
              image: docker.io/library/alpine
              script: |
                echo "this is a finish task"
                echo "echo-continue Task Status:"
                echo $(params.echo-continue-task-status)
                echo "echo-fail Task Status:"
                echo $(params.echo-fail-task-status)
                echo "echo-continue Task Reason:"
                echo $(params.echo-continue-task-reason)
                echo "echo-fail Task Reason:"
                echo $(params.echo-fail-task-reason)

Logs from this finally task:

k logs pipelinerun-with-failing-task-8dvch-finish-pod
Defaulted container "step-check" out of: step-check, prepare (init), place-scripts (init)
this is a finish task
echo-continue Task Status:
Failed
echo-fail Task Status:
Failed
echo-continue Task Reason:
FailureIgnored
echo-fail Task Reason:
Failed

References:

• Promote onerror Tasks to beta #8090 (comment)
• https://github.com/tektoncd/pipeline/compare/main...pritidesai:pipeline:ignore-task-error?expand=1

/kind feature