Skip to content

ROX-26026: Support tagged Konflux builds #13422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
msugakov wants to merge 13 commits into from
Closed

ROX-26026: Support tagged Konflux builds #13422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
d6d17e6
Delete stale `scripts/reference`
msugakov Nov 22, 2024
3651a20
Stop dragging around processing for four-digit versions
msugakov Nov 22, 2024
95d6edc
Check that random tags don't count as release tags
msugakov Nov 25, 2024
f7fbdc1
Switch to ubi9 because we can
msugakov Nov 25, 2024
3fa28d7
Adjust determine-image-tag-task to support git tags and unsuffixing
msugakov Nov 25, 2024
dea08a4
Adjust pipeline CEL expressions
msugakov Dec 5, 2024
65c751e
Remove `VERSIONS_SUFFIX` from scanner-v4-pipeline
msugakov Dec 5, 2024
452a723
Inject BUILD_TAG in Dockerfiles that need it
msugakov Dec 5, 2024
57e19a3
Set image flavor to `rhacs`
msugakov Dec 5, 2024
28d0527
Get rid of `VERSIONS_SUFFIX`
msugakov Dec 5, 2024
df956bd
**DO NOT MERGE** Bump collector pointer to a commit that succeeded
msugakov Dec 6, 2024
e3257fb
Factor `registry_from_branding` function in ci/lib.sh for reuse
msugakov Dec 6, 2024
d328324
Put jobs in `.github/workflow/build.yaml` into matrix
msugakov Dec 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 35 additions & 24 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,13 @@ jobs:
run: |
source './scripts/ci/lib.sh'

matrix='{ "pre_build_go_binaries": { "name":[], "arch":[] }, "build_and_push_main": { "name":[], "arch":[] }, "push_main_multiarch_manifests": { "name":[] } }'
matrix='{
"pre_build_go_binaries": { "name":[], "arch":[] },
"build_and_push_main": { "name":[], "arch":[] },
"push_main_multiarch_manifests": { "name":[] },
"build_and_push_operator": { "name":[] },
"scan_images_with_roxctl": { "name":[], "image":[] }
}'

# The base matrix
matrix="$(jq '.pre_build_go_binaries.name += ["default"]' <<< "$matrix")"
Expand All @@ -39,6 +45,11 @@ jobs:

matrix="$(jq '.push_main_multiarch_manifests.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")"

matrix="$(jq '.build_and_push_operator.name += ["RHACS_BRANDING"]' <<< "$matrix")"

matrix="$(jq '.scan_images_with_roxctl.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")"
matrix="$(jq '.scan_images_with_roxctl.image += ["central-db", "collector", "collector-slim", "main", "roxctl", "scanner", "scanner-db", "scanner-db-slim", "scanner-slim", "stackrox-operator"]' <<< "$matrix")"

if ! is_in_PR_context || pr_has_label ci-build-all-arch; then
matrix="$(jq '.pre_build_go_binaries.arch += ["ppc64le", "s390x"]' <<< "$matrix")"
matrix="$(jq '.build_and_push_main.arch += ["ppc64le", "s390x"]' <<< "$matrix")"
Expand Down Expand Up @@ -543,17 +554,18 @@ jobs:

build-and-push-operator:
runs-on: ubuntu-latest
needs:
- define-job-matrix
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
env:
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
QUAY_RHACS_ENG_BEARER_TOKEN: ${{ secrets.QUAY_RHACS_ENG_BEARER_TOKEN }}
strategy:
matrix:
branding: [ RHACS_BRANDING ]
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_operator }}
env:
ROX_PRODUCT_BRANDING: ${{ matrix.branding }}
ROX_PRODUCT_BRANDING: ${{ matrix.name }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -679,6 +691,7 @@ jobs:
scan-images-with-roxctl:
if: github.event_name == 'push'
needs:
- define-job-matrix
- build-and-push-main
- build-and-push-operator
- push-main-manifests
Expand All @@ -690,20 +703,7 @@ jobs:
security-events: write
strategy:
fail-fast: false
matrix:
image:
[
"central-db",
"collector",
"collector-slim",
"main",
"roxctl",
"scanner",
"scanner-db",
"scanner-db-slim",
"scanner-slim",
"stackrox-operator",
]
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).scan_images_with_roxctl }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -730,14 +730,25 @@ jobs:

- name: Scan images for vulnerabilities
run: |
release_tag=$(make tag)
if [[ ${{ matrix.image }} =~ "operator" ]]; then
release_tag=$(make -C operator --silent tag)
# TODO(ROX-26026): delete once it's clear if GHA has pipefail
set -o

release_tag="$(make --quiet --no-print-directory tag)"
if [[ "${{ matrix.image }}" =~ "operator" ]]; then
release_tag="$(make -C operator --quiet --no-print-directory tag)"
fi

registry="$(./scripts/ci/lib.sh registry_from_branding "${{ matrix.name }}")"

if [[ "${{ matrix.image }}" =~ "operator" && "${{ matrix.name }}" == "STACKROX_BRANDING" ]]; then
# TODO(ROX-27191): reenable once there's community operator.
echo "Skipping the operator image scan because there's no OSS operator"
exit 0
fi

roxctl image scan --retries=10 --retry-delay=15 --force --severity=CRITICAL,IMPORTANT --output=sarif \
--image="quay.io/rhacs-eng/${{ matrix.image }}:${release_tag}" \
> results.sarif
cat results.sarif
--image="${registry}/${{ matrix.image }}:${release_tag}" \
| tee results.sarif

# TODO: re-enable roxctl scan results upload once quota issue has been resolved
# - name: Upload roxctl scan results to GitHub Security tab
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release-ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ jobs:
run: |
source scripts/ci/lib.sh
if is_release_version "${{ github.ref_name }}"; then
echo "is_release=true" >> "$GITHUB_OUTPUT"
echo "is_release=true" | tee -a "$GITHUB_OUTPUT"
else
echo "is_release=false" >> "$GITHUB_OUTPUT"
echo "is_release=false" | tee -a "$GITHUB_OUTPUT"
fi

check-scanner-version:
Expand Down
6 changes: 2 additions & 4 deletions .tekton/basic-component-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,8 @@ spec:
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: MAKEFILE_DIRECTORY
value: $(params.image-tag-makefile-directory)
- name: SOURCE_BRANCH
value: "{{source_branch}}"
taskRef:
name: determine-image-tag

Expand Down Expand Up @@ -236,7 +238,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down Expand Up @@ -274,7 +275,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down Expand Up @@ -314,7 +314,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down Expand Up @@ -354,7 +353,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down
9 changes: 4 additions & 5 deletions .tekton/central-db-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,12 @@ metadata:
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "500"
# TODO(ROX-21073): re-enable for all PR branches
pipelinesascode.tekton.dev/on-cel-expression: (
event == "push" && (
source_branch == "master" ||
target_branch.startsWith("refs/tags/")
)
pipelinesascode.tekton.dev/on-cel-expression: |
(
event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")
) || (
event == "pull_request" && (
target_branch.startsWith("release-") ||
source_branch.matches("(konflux|renovate|appstudio|rhtap)") ||
body.pull_request.labels.exists(l, l.name == "konflux-build")
)
Expand Down
56 changes: 47 additions & 9 deletions .tekton/determine-image-tag-task.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
namespace: rh-acs-tenant
# TODO(ROX-23812): Refactor to a task bundle
spec:
description: Determines the tag for the output image using the StackRox convention from 'make tag' output.
description: Determines the tag for input or output image using the StackRox conventions.
params:
- name: TAG_SUFFIX
description: Suffix to append to generated image tag.
Expand All @@ -23,6 +23,17 @@ spec:
description: Makefile target to run.
type: string
default: "tag"
- name: SOURCE_BRANCH
description: Branch or tag that triggered a build pipeline with this task.
Must be set to {{ source_branch }} Pipelines as Code variable.
See https://pipelinesascode.com/docs/guide/authoringprs/#dynamic-variables
type: string
- name: SUPPRESS_TAG_SUFFIX_ON_SOURCE_BRANCH_REGEX
description: Regular expression which, when matches SOURCE_BRANCH param, prevents TAG_SUFFIX to be appended to the
resulting tag. Intended for Stable Stream builds where we want to produce image tags without the "-fast" suffix.
Set to release branches, release and RC tags by default.
type: string
default: ^(release-.*|refs/tags/[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?)$
results:
- name: IMAGE_TAG
description: Image Tag determined by custom logic.
Expand All @@ -40,7 +51,7 @@ spec:
- use
- $(params.SOURCE_ARTIFACT)=/var/workdir/source
- name: determine-image-tag
image: registry.access.redhat.com/ubi8:latest
image: registry.access.redhat.com/ubi9:latest
workingDir: /var/workdir/source
script: |
#!/usr/bin/env bash
Expand All @@ -50,13 +61,40 @@ spec:

.konflux/scripts/fail-build-if-git-is-dirty.sh

# Basic protection against running something arbitrary.
allowed_targets="tag|collector-tag|scanner-tag"
if [[ "|${allowed_targets}|" != *"|$(params.MAKEFILE_TARGET)|"* ]]; then
>&2 echo "Error: provided MAKEFILE_TARGET $(params.MAKEFILE_TARGET) is not one of the allowed targets ${allowed_targets}"
suffix="$(params.TAG_SUFFIX)"
makefile_target="$(params.MAKEFILE_TARGET)"

if [[ "${makefile_target}" == "collector-tag" || "${makefile_target}" == "scanner-tag" ]]; then

# For dependencies (i.e. scanner and collector) tags, we always take what make returns. Konflux builds of
# scanner and collector don't replace quay.io/rhacs-eng/ builds that's why we currently locate Konflux images
# via the suffix.
image_tag="$(make -C "$(params.MAKEFILE_DIRECTORY)" --quiet --no-print-directory "${makefile_target}")${suffix}"

elif [[ "${makefile_target}" != "tag" ]]; then

>&2 echo "Error: provided MAKEFILE_TARGET ${makefile_target} is not recognized."
exit 2
fi

image_tag="$(make -C "$(params.MAKEFILE_DIRECTORY)" --quiet --no-print-directory "$(params.MAKEFILE_TARGET)")$(params.TAG_SUFFIX)"
else # "${makefile_target}" is "tag"

source_branch="$(params.SOURCE_BRANCH)"

if grep -qE '$(params.SUPPRESS_TAG_SUFFIX_ON_SOURCE_BRANCH_REGEX)' <<< "${source_branch}"; then
echo "Target branch ${source_branch} matches regex, the image tag suffix ${suffix} will be omitted."
suffix=""
fi

if [[ "${source_branch}" == refs/tags/* ]]; then
echo "${source_branch} seems to be a build of a git tag, will use this git tag."
image_tag="${source_branch#refs/tags/}"
else
# Otherwise, delegate the work to Makefiles.
image_tag="$(make -C "$(params.MAKEFILE_DIRECTORY)" --quiet --no-print-directory "${makefile_target}")"
fi

image_tag="${image_tag}${suffix}"

fi

echo -n "$image_tag" | tee "$(results.IMAGE_TAG.path)"
echo -n "${image_tag}" | tee "$(results.IMAGE_TAG.path)"
9 changes: 4 additions & 5 deletions .tekton/main-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,12 @@ metadata:
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "500"
# TODO(ROX-21073): re-enable for all PR branches
pipelinesascode.tekton.dev/on-cel-expression: (
event == "push" && (
source_branch == "master" ||
target_branch.startsWith("refs/tags/")
)
pipelinesascode.tekton.dev/on-cel-expression: |
(
event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")
) || (
event == "pull_request" && (
target_branch.startsWith("release-") ||
source_branch.matches("(konflux|renovate|appstudio|rhtap)") ||
body.pull_request.labels.exists(l, l.name == "konflux-build")
)
Expand Down
6 changes: 2 additions & 4 deletions .tekton/main-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,8 @@ spec:
value: $(params.output-tag-suffix)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: SOURCE_BRANCH
value: "{{source_branch}}"
taskRef:
name: determine-image-tag

Expand Down Expand Up @@ -241,7 +243,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down Expand Up @@ -283,7 +284,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down Expand Up @@ -326,7 +326,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down Expand Up @@ -369,7 +368,6 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- VERSIONS_SUFFIX=$(params.output-tag-suffix)
- MAIN_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
Expand Down
9 changes: 4 additions & 5 deletions .tekton/operator-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,12 @@ metadata:
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "500"
# TODO(ROX-21073): re-enable for all PR branches
pipelinesascode.tekton.dev/on-cel-expression: (
event == "push" && (
source_branch == "master" ||
target_branch.startsWith("refs/tags/")
)
pipelinesascode.tekton.dev/on-cel-expression: |
(
event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")
) || (
event == "pull_request" && (
target_branch.startsWith("release-") ||
source_branch.matches("(konflux|renovate|appstudio|rhtap)") ||
body.pull_request.labels.exists(l, l.name == "konflux-build")
)
Expand Down
9 changes: 4 additions & 5 deletions .tekton/operator-bundle-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,12 @@ metadata:
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "500"
# TODO(ROX-21073): re-enable for all PR branches
pipelinesascode.tekton.dev/on-cel-expression: (
event == "push" && (
source_branch == "master" ||
target_branch.startsWith("refs/tags/")
)
pipelinesascode.tekton.dev/on-cel-expression: |
(
event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")
) || (
event == "pull_request" && (
target_branch.startsWith("release-") ||
source_branch.matches("(konflux|renovate|appstudio|rhtap)") ||
body.pull_request.labels.exists(l, l.name == "konflux-build")
)
Expand Down
4 changes: 4 additions & 0 deletions .tekton/operator-bundle-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,8 @@ spec:
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: MAKEFILE_DIRECTORY
value: ./operator
- name: SOURCE_BRANCH
value: "{{source_branch}}"
taskRef:
name: determine-image-tag

Expand All @@ -307,6 +309,8 @@ spec:
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: MAKEFILE_DIRECTORY
value: "."
- name: SOURCE_BRANCH
value: "{{source_branch}}"
taskRef:
name: determine-image-tag

Expand Down
11 changes: 9 additions & 2 deletions .tekton/retag-collector-full.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,15 @@ metadata:
pipelinesascode.tekton.dev/max-keep-runs: "500"
# TODO(ROX-21073): re-enable for all PR branches
pipelinesascode.tekton.dev/on-cel-expression: |
(event == "push" && target_branch.matches("^(master|release-.*)$")) ||
(event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
(
event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")
) || (
event == "pull_request" && (
target_branch.startsWith("release-") ||
source_branch.matches("(konflux|renovate|appstudio|rhtap)") ||
body.pull_request.labels.exists(l, l.name == "konflux-build")
)
)
labels:
appstudio.openshift.io/application: acs
name: retag-collector-full
Expand Down
Loading