feat: adjust EventListener to integrate with new MLOps pipeline

Update EventListener configuration and parameters to align with the
refactored MLOps pipeline that uses DVC version parameters

Author: Yael-F

deploy/Makefile

@@ -179,25 +179,94 @@ For VPN-protected clusters, use GitOps to automatically sync Tekton resources fr
 - Repository access from within the cluster
 
 #### 8.2. Deploy GitOps
+
+**Development Environment:**
+```bash
+# Deploy ArgoCD Application (dev)
+make deploy-dev
+```
+
+**Production Environment:**
 ```bash
-# Deploy ArgoCD Application
-make argocd-deploy
+# Deploy ArgoCD Application (prod) with specific version
+make deploy-prod IMAGE_VERSION=1.2.3
 ```
 
 #### 8.3. How It Works
 - **Auto-sync**: Changes to `main` branch deploy automatically (~3 min)
-- **Self-healing**: Manual changes are automatically reverted
+- **Self-healing**: Manual changes are automatically reverted (dev only)
 - **Pruning**: Deleted files are removed from cluster
-- **Path**: Only syncs `deploy/tekton/` directory
+- **Path**: 
+  - Dev: Syncs `deploy/tekton/base` (uses latest tag)
+  - Prod: Syncs `deploy/tekton/overlays/prod` (uses release versions)
 
 #### 8.4. Configuration
 Set in `.env` file (optional):
 ```env
 GITHUB_REPO_URL=https://github.com/your-org/sast-ai-workflow.git
 ARGOCD_NAMESPACE=sast-ai
+
+# Orchestrator Configuration (for hooks)
+ORCHESTRATOR_API_URL=http://sast-ai-orchestrator.sast-ai.svc.cluster.local:8080
+BATCH_PACKAGES_SHEET_URL=https://docs.google.com/spreadsheets/d/YOUR_SHEET_ID
+BASE_GDRIVE_FOLDER_ID=your-parent-folder-id
+```
+
+#### 8.5. ArgoCD Hooks - Automated Batch Triggering
+
+**What are hooks?**
+
+ArgoCD PostSync hooks automatically trigger batch SAST analysis via the sast-ai-orchestrator when a new release is deployed to production.
+
+**How it works:**
+
+1. New sast-ai-workflow version deployed via ArgoCD
+2. PostSync hook runs after successful sync
+3. Hook generates unique RUN_ID: `v1.2.3-20251021-143055-a3f2b9`
+4. Calls orchestrator batch API with package list
+5. Orchestrator creates Tekton PipelineRuns for each package
+6. All reports organized under the same RUN_ID
+
+**Configuration:**
+
+```bash
+# Set in .env file
+ORCHESTRATOR_API_URL=http://sast-ai-orchestrator.sast-ai.svc.cluster.local:8080
+BATCH_PACKAGES_SHEET_URL=https://docs.google.com/spreadsheets/d/YOUR_SHEET_ID
+
+# Deploy with hooks
+make deploy-prod IMAGE_VERSION=1.2.3
 ```
 
-#### 8.5. Prompt Changes with GitOps
+**Manual hook deployment:**
+
+```bash
+make argocd-hooks
+```
+
+**Disable hooks temporarily:**
+
+```bash
+# Update ConfigMap
+oc edit configmap sast-ai-hook-config -n sast-ai
+# Change: enable-hook: "false"
+```
+
+**Monitor hook execution:**
+
+```bash
+# View hook jobs
+oc get jobs -l app.kubernetes.io/component=argocd-hook -n sast-ai
+
+# View logs
+oc logs -l app.kubernetes.io/component=argocd-hook -n sast-ai --tail=100
+```
+
+**Troubleshooting:**
+
+See detailed troubleshooting guide in `argocd/hooks/README.md`
+
+#### 8.6. Prompt Changes with GitOps
 When modifying prompts in `src/templates/prompts/`, you must regenerate the ConfigMap:
 
 ```bash

deploy/README.md

@@ -1,14 +1,13 @@
 # Tekton EventListener for MLOps Benchmarking
 
-This directory contains a Tekton EventListener implementation that triggers the sast-ai-orchestrator MLOps batch API via webhook. This enables automated MLOps performance testing and benchmarking with DVC data versioning and S3 integration.
+This directory contains a Tekton EventListener implementation that triggers the sast-ai-orchestrator MLOps batch API via webhook. This enables automated MLOps performance testing and benchmarking with DVC data versioning.
 
 ## 🎯 Purpose
 
 Enable MLOps benchmark testing for batch SAST analysis jobs:
 - ✅ Webhook-based triggering (curl/HTTP POST)
 - ✅ Integration with sast-ai-orchestrator MLOps API (`/api/v1/mlops-batches`)
 - ✅ DVC data versioning support
-- ✅ S3 object storage integration
 - ✅ Container image version testing
 - ✅ Separation from production workflows
 - ✅ Fork-friendly configuration
@@ -90,8 +89,6 @@ make eventlistener \
 - ✅ Deploys all EventListener resources via Kustomize
 - ✅ Shows verification and testing commands
 
-**Note:** The Google Sheet URL is provided via the webhook payload when triggering the EventListener, not during deployment.
-
 **Note:** The EventListener always calls `/api/v1/mlops-batches` endpoint (hardcoded for MLOps benchmarking).
 
 Verify deployment:
@@ -118,12 +115,11 @@ http://el-benchmark-mlop-listener.<namespace>.svc.cluster.local:8080
 curl -X POST http://localhost:8080 \
   -H 'Content-Type: application/json' \
   -d '{
-    "batch_sheet_url": "https://docs.google.com/spreadsheets/d/YOUR_TEST_SHEET/edit",
     "submitted_by": "manual-test",
-    "dvc_repo_url": "https://gitlab.com/your-org/dvc-repo.git",
-    "dvc_data_version": "v1.0.0",
-    "s3_endpoint_url": "https://s3.amazonaws.com",
-    "s3_input_bucket_name": "mlops-test-data"
+    "image_version": "v2.1.0",
+    "dvc_nvr_version": "v1.0.0",
+    "dvc_known_false_positives_version": "v1.0.0",
+    "dvc_prompts_version": "v1.0.0"
   }'
 ```
 
@@ -132,13 +128,11 @@ curl -X POST http://localhost:8080 \
 curl -X POST http://localhost:8080 \
   -H 'Content-Type: application/json' \
   -d '{
-    "batch_sheet_url": "https://docs.google.com/spreadsheets/d/YOUR_TEST_SHEET/edit",
     "submitted_by": "version-test",
-    "dvc_repo_url": "https://gitlab.com/your-org/dvc-repo.git",
-    "dvc_data_version": "v1.0.0",
-    "s3_endpoint_url": "https://s3.amazonaws.com",
-    "s3_input_bucket_name": "mlops-test-data",
-    "image_version": "v2.1.0"
+    "image_version": "v2.1.0",
+    "dvc_nvr_version": "v1.0.0",
+    "dvc_known_false_positives_version": "v1.0.0",
+    "dvc_prompts_version": "v1.0.0"
   }'
 ```
 
@@ -182,9 +176,10 @@ Calling Orchestrator MLOps Batch API
 Configuration:
   Orchestrator URL: http://sast-ai-orchestrator...
   API Endpoint: /api/v1/mlops-batches (MLOps benchmarking)
-  Batch Sheet URL: https://docs.google.com/...
-  DVC Repo: https://gitlab.com/...
-  S3 Bucket: mlops-test-data
+  Image Version: v2.1.0
+  DVC NVR Version: v1.0.0
+  DVC Prompts Version: v1.0.0
+  DVC Known False Positives Version: v1.0.0
   ...
 ✓ API call successful!
 Batch ID: batch-12345
@@ -220,7 +215,7 @@ oc logs -l tekton.dev/pipelineTask=call-orchestrator-api --tail=100
 - Orchestrator URL incorrect in ConfigMap
 - Orchestrator service not running: `oc get pods -l app=sast-ai-orchestrator`
 - Network policy blocking connections
-- Google Sheet URL not accessible by orchestrator
+- DVC version parameters not provided in webhook payload
 
 #### Verify ConfigMap
 
@@ -243,26 +238,22 @@ Send JSON payload with these fields:
 
 ```json
 {
-  "batch_sheet_url": "https://docs.google.com/spreadsheets/d/SHEET_ID/edit",
   "submitted_by": "trigger-source",
-  "dvc_repo_url": "https://gitlab.com/org/dvc-repo.git",
-  "dvc_data_version": "v1.2.3",
-  "s3_endpoint_url": "https://s3.amazonaws.com",
-  "s3_input_bucket_name": "mlops-data",
+  "dvc_nvr_version": "v1.2.3",
+  "dvc_known_false_positives_version": "v1.2.3",
+  "dvc_prompts_version": "v1.2.3",
   "image_version": "v2.0.0"
 }
 ```
 
 **Required Fields:**
-- `batch_sheet_url` - Google Sheet with package list
-- `dvc_repo_url` - DVC repository URL
-- `dvc_data_version` - DVC data version tag
-- `s3_endpoint_url` - S3 endpoint URL
-- `s3_input_bucket_name` - S3 bucket name
+- `dvc_nvr_version` - DVC NVR resource version
+- `dvc_prompts_version` - DVC prompts resource version
+- `dvc_known_false_positives_version` - DVC known false positives resource version
 
 **Optional Fields:**
 - `submitted_by` - Defaults to "eventlistener-webhook"
-- `image_version` - Override workflow version for testing (e.g., "v2.1.0", "sha-abc123")
+- `image_version` - Defaults to "latest" (e.g., "v2.1.0", "sha-abc123")
 
 ### ConfigMap Keys
 
@@ -281,13 +272,11 @@ The `benchmark-config` ConfigMap is automatically generated by `make eventlisten
 
 | Parameter | Type | Required | Default | Description |
 |-----------|------|----------|---------|-------------|
-| `batch-sheet-url` | string | Yes | - | Google Sheet with package list |
+| `dvc-nvr-version` | string | **Yes** | - | DVC NVR resource version |
+| `dvc-prompts-version` | string | **Yes** | - | DVC prompts resource version |
+| `dvc-known-false-positives-version` | string | **Yes** | - | DVC known false positives resource version |
 | `submitted-by` | string | No | `eventlistener-webhook` | Trigger source identifier |
-| `dvc-repo-url` | string | Yes | - | DVC repository URL for data versioning |
-| `dvc-data-version` | string | Yes | - | DVC data version tag |
-| `s3-endpoint-url` | string | Yes | - | S3 endpoint URL |
-| `s3-input-bucket-name` | string | Yes | - | S3 bucket name for input data |
-| `image-version` | string | No | (default from pipeline) | Workflow image version for testing (tag only, e.g., "v2.1.0") |
+| `image-version` | string | No | `latest` | Workflow image version for testing (tag only, e.g., "v2.1.0") |
 
 ## 🎓 Understanding the Architecture
 
@@ -339,6 +328,7 @@ The `benchmark-config` ConfigMap is automatically generated by `make eventlisten
                     │  Orchestrator API    │
                     │  POST /api/v1/       │
                     │  mlops-batches       │
+                    │  (with DVC versions) │
                     └──────────────────────┘
 ```
 
@@ -351,10 +341,21 @@ The `benchmark-config` ConfigMap is automatically generated by `make eventlisten
 2. **TriggerBinding**: Extracts parameters from webhook JSON payload (including MLOps params)
 3. **TriggerTemplate**: Generates PipelineRun with extracted parameters
 4. **Pipeline**: Orchestrates task execution, monitors completion, handles results
-5. **Task 1 (call-orchestrator-api)**: Calls orchestrator MLOps API with DVC/S3 params
+5. **Task 1 (call-orchestrator-api)**: Calls orchestrator MLOps API with DVC version params
 6. **Task 2 (poll-batch-status)**: Monitors batch completion until done or timeout
 7. **ConfigMap**: Stores environment-specific configuration (orchestrator URL, API endpoint)
 
+## 🔄 Production Enhancements
+
+For production use, consider:
+
+### Automation
+
+1. **Create CronJob** for scheduled benchmarking
+2. **Set up monitoring** (Prometheus metrics)
+3. **Configure notifications** (Slack/email on completion/failure)
+4. **Add retry logic** for transient failures
+
 ### Production Deployment
 
 Deploy to dedicated namespace:
@@ -381,8 +382,6 @@ This creates both:
 - The `mlop-sast-ai-workflow-pipeline` that the orchestrator will trigger
 - The EventListener webhook endpoint for triggering benchmarks
 
-**Note:** The Google Sheet URL is provided when triggering the EventListener via webhook, not during deployment.
-
 ## 🧹 Cleanup
 
 To remove all MLOps benchmark resources:

deploy/tekton/eventlistener/README.md

@@ -1,13 +1,19 @@
-# MLOps Benchmark Configuration
+# MLOps Benchmark Configuration Example
 #
-# This ConfigMap is automatically generated by 'make eventlistener'.
-# Do not edit manually - regenerate using the Makefile.
+# This is an EXAMPLE file for reference only.
+# The actual benchmark-config.yaml is automatically generated by the Makefile.
 #
-# To regenerate:
+# Recommended deployment method:
 #   cd deploy
 #   make eventlistener \
-#     ORCHESTRATOR_API_URL=<your-url> \
-#     NAMESPACE=<your-namespace>
+#     ORCHESTRATOR_API_URL=http://sast-ai-orchestrator.sast-ai.svc.cluster.local:8080 \
+#     NAMESPACE=your-namespace
+#
+# Finding your orchestrator URL:
+#   oc get svc -l app=sast-ai-orchestrator
+#
+# Note: The Google Sheet URL is provided via webhook payload when triggering,
+#       not in this ConfigMap.
 #
 ---
 apiVersion: v1
@@ -19,8 +25,9 @@ metadata:
     app.kubernetes.io/component: benchmark-mlop
 data:
   # Orchestrator API base URL (cluster-internal service)
-  # REPLACE THIS with your actual orchestrator URL
-  orchestrator-api-url: "http://sast-ai-orchestrator.sast-ai.svc.cluster.local:8080"
+  # This will be replaced by the Makefile with your actual orchestrator URL
+  orchestrator-api-url: "http://sast-ai-orchestrator"
 
   # API endpoint path for MLOps batches
   api-batch-endpoint: "/api/v1/mlops-batches"
+

deploy/tekton/eventlistener/benchmark-config.yaml

@@ -13,61 +13,51 @@ spec:
     batch completion. Designed for performance testing and MLOps workflows.
   
   params:
-    - name: batch-sheet-url
-      type: string
-      description: "Google Sheet URL with package list"
-      default: ""
-    
     - name: submitted-by
       type: string
       description: "Trigger source identifier"
       default: "eventlistener-webhook"
 
-    # MLOps-specific parameters
-    - name: dvc-repo-url
+    - name: image-version
       type: string
-      description: "DVC repository URL for data versioning"
-      default: ""
+      description: "Workflow image version for testing (e.g., v2.1.0, sha-abc123)"
+      default: "latest"
 
-    - name: dvc-data-version
+    # DVC version parameters (required)
+    - name: dvc-nvr-version
       type: string
-      description: "DVC data version tag"
-      default: ""
+      description: "DVC NVR resource version"
 
-    - name: s3-endpoint-url
+    - name: dvc-prompts-version
       type: string
-      description: "S3 endpoint URL for MLOps data"
-      default: ""
+      description: "DVC prompts resource version"
 
-    - name: s3-input-bucket-name
+    - name: dvc-known-false-positives-version
       type: string
-      description: "S3 bucket name for input data"
-      default: ""
+      description: "DVC known false positives resource version"
 
-    - name: image-version
+    - name: use-known-false-positive-file
       type: string
-      description: "Workflow image version for testing (e.g., v2.1.0, sha-abc123)"
-      default: "latest"
+      description: "Whether to use known false positive file"
+      default: "true"
 
   tasks:
     - name: call-orchestrator-api
       taskRef:
         name: call-orchestrator-api-mlop
       params:
-        - name: batch-sheet-url
-          value: $(params.batch-sheet-url)
         - name: submitted-by
           value: $(params.submitted-by)
-        - name: dvc-repo-url
-          value: $(params.dvc-repo-url)
-        - name: dvc-data-version
-          value: $(params.dvc-data-version)
-        - name: s3-endpoint-url
-          value: $(params.s3-endpoint-url)
-        - name: s3-input-bucket-name
-          value: $(params.s3-input-bucket-name)
         - name: image-version
           value: $(params.image-version)
+        - name: dvc-nvr-version
+          value: $(params.dvc-nvr-version)
+        - name: dvc-prompts-version
+          value: $(params.dvc-prompts-version)
+        - name: dvc-known-false-positives-version
+          value: $(params.dvc-known-false-positives-version)
+        - name: use-known-false-positive-file
+          value: $(params.use-known-false-positive-file)
 
     - name: poll-batch-status
       taskRef: