Add step to make our tasks trusted

.tekton/acs-konflux-tasks-push.yaml

@@ -28,6 +28,8 @@ spec:
     value: '{{revision}}'
   - name: output-image
     value: quay.io/rhacs-eng/konflux-tasks:rev-{{revision}}
+  - name: output-trust-data-repo
+    value: quay.io/rhacs-eng/konflux-tasks-trust
   - name: rebuild
     value: "true"
   - name: build-source-image
@@ -53,6 +55,9 @@ spec:
     - description: Fully Qualified Output Image
       name: output-image
       type: string
+    - description: Image repository where to update data about tasks trust
+      name: output-trust-data-repo
+      type: string
     - default: .
       description: Path to the source code of an application's component from where
         to build image.
@@ -523,3 +528,27 @@ spec:
       - input: $(params.skip-checks)
         operator: in
         values: [ "false" ]
+
+    - name: update-tasks-trust
+      description: Updates the image which allows to trust built tasks in EC.
+      params:
+      - name: TASKS_IMAGE
+        value: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)
+      - name: OUTPUT_IMAGE
+        value: $(params.output-trust-data-repo):$(tasks.get-floating-tag.results.FLOATING_TAG)
+      taskSpec:
+        params:
+        - name: TASKS_IMAGE
+          type: string
+        - name: OUTPUT_IMAGE
+          type: string
+        steps:
+        - name: update-tasks-trust
+          image: quay.io/konflux-ci/appstudio-utils:latest@sha256:5c77fe44dfd9615b1ba854e27e4ae2583146599eb4021ca8bd4662d2ba3ffa14
+          script: |
+            #!/usr/bin/env bash
+            set -euo pipefail
+
+            ec --verbose track bundle --freshen \
+              --bundle "$(params.TASKS_IMAGE)"
+              --output "oci:$(params.OUTPUT_IMAGE)"