WIP: Add Konflux pipeline for Go version validation#19737
Draft
WIP: Add Konflux pipeline for Go version validation#19737
Conversation
Create a minimal, hermetic Konflux pipeline to verify Go version compatibility by running 'go mod tidy'. The pipeline: - Triggers automatically on PRs that modify go.mod (via labeler) - Runs go mod tidy in the same Go environment as production builds - Fails if go.mod or go.sum are modified by tidy (indicating version issues) - Provides fast feedback (~2-5 min) compared to full builds (~1+ hour) - Uses hermetic builds with Cachi2 dependency prefetching Files: - .github/labeler.yml: Add go-mod-check label for go.mod changes - .tekton/go-mod-validation-pipeline.yaml: Pipeline definition with inline verify-go-mod-tidy task - .tekton/go-mod-validation-build.yaml: PipelineRun with triggers User request: Create a Konflux pipeline to check if the installed Go version supports the version specified in go.mod, using go mod tidy as the validation mechanism. Note: Requires service account 'build-pipeline-go-mod-validation' to be created by Konflux admins with access to quay.io/rhacs-eng/go-mod-validation. This change was partially generated with AI assistance. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Skipping CI for Draft Pull Request. |
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In the
verify-go-mod-tidyscript,cp go.sum go.sum.beforewill fail for modules that don't yet have ago.sum; consider guarding this copy and the subsequentdiffwith anif [ -f go.sum ]check so the task works for both cases. - The Slack notification message hardcodes the Konflux UI base URL; consider parameterizing the host (e.g., via a pipeline param) so the same pipeline can be reused across clusters or environments without edits.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the `verify-go-mod-tidy` script, `cp go.sum go.sum.before` will fail for modules that don't yet have a `go.sum`; consider guarding this copy and the subsequent `diff` with an `if [ -f go.sum ]` check so the task works for both cases.
- The Slack notification message hardcodes the Konflux UI base URL; consider parameterizing the host (e.g., via a pipeline param) so the same pipeline can be reused across clusters or environments without edits.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
📝 WalkthroughWalkthroughThis pull request introduces a new Tekton-based CI/CD pipeline for validating Go module tidiness. It adds GitHub PR labeler configuration to identify commits affecting Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/labeler.yml:
- Around line 97-100: The go-mod-check label currently triggers only when go.mod
changes (see label name "go-mod-check" and the "changed-files ->
any-glob-to-any-file -> - go.mod" entry); update that label's changed-files
pattern to include go.sum as well (add "- go.sum" alongside "- go.mod") so the
auto-trigger fires for changes to either file.
In @.tekton/go-mod-validation-pipeline.yaml:
- Around line 193-200: The current shell block silently continues if
/workspace/cachi2/cachi2.env is missing; change it to fail-fast by exiting with
a non-zero status when the file is not found. Modify the existing if/else that
checks /workspace/cachi2/cachi2.env so that the else branch echoes a clear error
(e.g., "ERROR: cachi2.env not found") and calls exit 1, ensuring the
PipelineRun/prefetch-input validation cannot be bypassed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 3e7c1a52-2e75-4261-913e-037c946bb74c
📒 Files selected for processing (3)
.github/labeler.yml.tekton/go-mod-validation-build.yaml.tekton/go-mod-validation-pipeline.yaml
Comment on lines
+97
to
+100
| go-mod-check: | ||
| - changed-files: | ||
| - any-glob-to-any-file: | ||
| - go.mod |
There was a problem hiding this comment.
Include go.sum in the auto-trigger label.
The validation fails on drift in either go.mod or go.sum, but this label is only applied for go.mod. A PR that only updates go.sum will skip the new check entirely.
Suggested fix
go-mod-check:
- changed-files:
- any-glob-to-any-file:
- go.mod
+ - go.sum📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| go-mod-check: | |
| - changed-files: | |
| - any-glob-to-any-file: | |
| - go.mod | |
| go-mod-check: | |
| - changed-files: | |
| - any-glob-to-any-file: | |
| - go.mod | |
| - go.sum |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/labeler.yml around lines 97 - 100, The go-mod-check label currently
triggers only when go.mod changes (see label name "go-mod-check" and the
"changed-files -> any-glob-to-any-file -> - go.mod" entry); update that label's
changed-files pattern to include go.sum as well (add "- go.sum" alongside "-
go.mod") so the auto-trigger fires for changes to either file.
Comment on lines
+193
to
+200
| if [ -f /workspace/cachi2/cachi2.env ]; then | ||
| echo "=== Sourcing Cachi2 environment ===" | ||
| set +u | ||
| source /workspace/cachi2/cachi2.env | ||
| set -u | ||
| else | ||
| echo "WARNING: cachi2.env not found, proceeding without hermetic environment" | ||
| fi |
There was a problem hiding this comment.
Fail fast when cachi2.env is missing.
This check is supposed to validate the hermetic path, and the paired PipelineRun always supplies prefetch-input. Continuing without cachi2.env can turn a broken prefetch/configuration into a false green run.
Suggested fix
- if [ -f /workspace/cachi2/cachi2.env ]; then
- echo "=== Sourcing Cachi2 environment ==="
- set +u
- source /workspace/cachi2/cachi2.env
- set -u
- else
- echo "WARNING: cachi2.env not found, proceeding without hermetic environment"
- fi
+ if [ ! -f /workspace/cachi2/cachi2.env ]; then
+ echo "ERROR: cachi2.env not found; aborting because this validation must run hermetically"
+ exit 1
+ fi
+ echo "=== Sourcing Cachi2 environment ==="
+ set +u
+ source /workspace/cachi2/cachi2.env
+ set -u📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| if [ -f /workspace/cachi2/cachi2.env ]; then | |
| echo "=== Sourcing Cachi2 environment ===" | |
| set +u | |
| source /workspace/cachi2/cachi2.env | |
| set -u | |
| else | |
| echo "WARNING: cachi2.env not found, proceeding without hermetic environment" | |
| fi | |
| if [ ! -f /workspace/cachi2/cachi2.env ]; then | |
| echo "ERROR: cachi2.env not found; aborting because this validation must run hermetically" | |
| exit 1 | |
| fi | |
| echo "=== Sourcing Cachi2 environment ===" | |
| set +u | |
| source /workspace/cachi2/cachi2.env | |
| set -u |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.tekton/go-mod-validation-pipeline.yaml around lines 193 - 200, The current
shell block silently continues if /workspace/cachi2/cachi2.env is missing;
change it to fail-fast by exiting with a non-zero status when the file is not
found. Modify the existing if/else that checks /workspace/cachi2/cachi2.env so
that the else branch echoes a clear error (e.g., "ERROR: cachi2.env not found")
and calls exit 1, ensuring the PipelineRun/prefetch-input validation cannot be
bypassed.
Contributor
|
Images are ready for the commit at c578982. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19737 +/- ##
==========================================
+ Coverage 49.58% 49.60% +0.01%
==========================================
Files 2756 2756
Lines 207951 208036 +85
==========================================
+ Hits 103112 103187 +75
- Misses 97177 97188 +11
+ Partials 7662 7661 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
The diff checking is unnecessary because go mod tidy will naturally fail with a clear error if the Go version is incompatible: 'go: go.mod requires go >= X.Y.Z (running go A.B.C)' Changes: - Keep Cachi2 prefetch task (required for hermetic dependency download) - Keep artifact extraction and environment sourcing - Remove file copying (cp go.mod go.mod.before) - Remove diff checking logic - Remove verbose error messages - Simplify to just run go mod tidy and report success This pipeline validates only: Can the installed Go version run go mod tidy? Other CI jobs check whether go.mod/go.sum are properly tidied. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The build-pipeline-go-mod-validation service account hasn't been created yet. Temporarily use build-pipeline-roxctl to test the pipeline logic. TODO: Request the dedicated service account from Konflux admins: Name: build-pipeline-go-mod-validation Namespace: rh-acs-tenant Copy permissions from: build-pipeline-roxctl Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The build-pipeline-roxctl service account only has write access to quay.io/rhacs-eng/release-roxctl, not go-mod-validation. Temporarily use release-roxctl for storing OCI artifacts (git clone and Cachi2 prefetch results). TODO: Once dedicated service account is created, change back to quay.io/rhacs-eng/go-mod-validation Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The openshift-golang-builder image doesn't include oras, which is needed to extract OCI artifacts. Install it at runtime from GitHub releases. This adds ~5 seconds to the pipeline but avoids needing a custom image. Alternative considered: Create a custom Dockerfile with oras pre-installed, but that adds maintenance overhead for a simple validation pipeline. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
|
/konflux-retest go-mod-validation-on-push |
2 similar comments
Contributor
|
/konflux-retest go-mod-validation-on-push |
Contributor
|
/konflux-retest go-mod-validation-on-push |
Contributor
|
/konflux-retest operator-bundle-on-push |
2 similar comments
Contributor
|
/konflux-retest operator-bundle-on-push |
Contributor
|
/konflux-retest operator-bundle-on-push |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Create a minimal, hermetic Konflux pipeline to verify Go version compatibility by running 'go mod tidy'.
This change was partially generated with AI assistance.
User-facing documentation
Testing and quality
Automated testing
How I validated my change
CI