Skip to content

WIP: Add Konflux pipeline for Go version validation #19737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
janisz wants to merge 5 commits into
base: master
Choose a base branch
from
+299 −0
Draft

WIP: Add Konflux pipeline for Go version validation #19737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c578982
Add Konflux pipeline for Go version validation
janisz Apr 1, 2026
b6c6990
Simplify Go mod validation by removing diff checking
janisz Apr 1, 2026
7bd31bd
Temporarily use build-pipeline-roxctl service account
janisz Apr 1, 2026
a48e734
Use roxctl repository for OCI artifacts temporarily
janisz Apr 1, 2026
e6ab972
Install oras CLI in verification task
janisz Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,8 @@ coderabbit-review:
- roxctl/**/*
- scripts/ci/**/
- sensor/**/*

go-mod-check:
- changed-files:
- any-glob-to-any-file:
- go.mod
Comment on lines +97 to +100
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Include go.sum in the auto-trigger label.

The validation fails on drift in either go.mod or go.sum, but this label is only applied for go.mod. A PR that only updates go.sum will skip the new check entirely.

Suggested fix 
 go-mod-check:
 - changed-files:
   - any-glob-to-any-file:
     - go.mod
+    - go.sum
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
go-mod-check:
- changed-files:
- any-glob-to-any-file:
- go.mod
go-mod-check:
- changed-files:
- any-glob-to-any-file:
- go.mod
- go.sum
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/labeler.yml around lines 97 - 100, The go-mod-check label currently
triggers only when go.mod changes (see label name "go-mod-check" and the
"changed-files -> any-glob-to-any-file -> - go.mod" entry); update that label's
changed-files pattern to include go.sum as well (add "- go.sum" alongside "-
go.mod") so the auto-trigger fires for changes to either file.

72 changes: 72 additions & 0 deletions .tekton/go-mod-validation-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
apiVersion: tekton.dev/v1
kind: PipelineRun

metadata:
annotations:
build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "500"
pipelinesascode.tekton.dev/on-comment: "/konflux-retest go-mod-validation"
pipelinesascode.tekton.dev/on-cel-expression: |
event == "pull_request" &&
(has(body.pull_request) && has(body.pull_request.labels) &&
body.pull_request.labels.exists(l, l.name == "go-mod-check")) &&
body.action != "ready_for_review"
pipelinesascode.tekton.dev/on-label: "[]"
labels:
appstudio.openshift.io/application: acs
appstudio.openshift.io/component: go-mod-validation
pipelines.appstudio.openshift.io/type: build
name: go-mod-validation-on-push
namespace: rh-acs-tenant

spec:

params:
- name: git-url
value: '{{source_url}}'
- name: revision
value: '{{revision}}'
- name: output-image-repo
# TODO: Change to quay.io/rhacs-eng/go-mod-validation once dedicated service account is created
value: quay.io/rhacs-eng/release-roxctl
- name: clone-depth
value: '1'
- name: clone-fetch-tags
value: 'false'
- name: oci-artifact-expires-after
value: '1d'
- name: prefetch-input
value: |
[
{ "type": "gomod", "path": "." }
]

pipelineRef:
name: go-mod-validation-pipeline

taskRunSpecs:
- pipelineTaskName: prefetch-dependencies
stepSpecs:
- name: prefetch-dependencies
computeResources:
limits:
cpu: 2
requests:
cpu: 2

taskRunTemplate:
# TODO: Change to build-pipeline-go-mod-validation once created
serviceAccountName: build-pipeline-roxctl

timeouts:
tasks: 10m
finally: 2m
pipeline: 12m

workspaces:
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
222 changes: 222 additions & 0 deletions .tekton/go-mod-validation-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,222 @@
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: go-mod-validation-pipeline
spec:

finally:
- name: slack-notification
params:
- name: message
value: ':x: `{{event_type}}` pipeline for <https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com/ns/$(context.pipelineRun.namespace)/pipelinerun/$(context.pipelineRun.name)|$(context.pipelineRun.name)> (`go.mod validation`, revision <$(params.git-url)/commit/$(params.revision)|$(params.revision)>) has failed.'
- name: key-name
value: 'acs-konflux-notifications'
when:
- input: $(tasks.status)
operator: in
values: ["Failed"]
taskRef:
params:
- name: name
value: slack-webhook-notification
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-slack-webhook-notification:0.1@sha256:3eff579c511d6c5e846175920e8f184a87337e142bbc4c30107e76bda4a325cb
- name: kind
value: task
resolver: bundles

- name: post-metric-end
params:
- name: AGGREGATE_TASKS_STATUS
value: $(tasks.status)
taskRef: &post-bigquery-metrics-ref
params:
- name: name
value: post-bigquery-metrics
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:6d3297c7b231c086c8221087e4b315e422da4207823444a00faf411002523af0
- name: kind
value: task
resolver: bundles

params:
- description: Source Repository URL
name: git-url
type: string
- default: ""
description: Revision of the Source Repository
name: revision
type: string
- description: Output Image Repository (for OCI artifacts)
name: output-image-repo
type: string
- default: "1"
description: Depth of the git clone in number of commits. Use "1" for shallow clone. Use "0" for deep clone, i.e. to fetch all commits.
name: clone-depth
type: string
- default: "false"
description: Fetch tags with git clone
name: clone-fetch-tags
type: string
- default: "1d"
description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after which they can be garbage collected.
name: oci-artifact-expires-after
type: string
- default: "false"
description: Enable cache proxy configuration
name: enable-cache-proxy
type: string
- default: ""
description: Build dependencies to be prefetched by Cachi2
name: prefetch-input
type: string

results:
- description: ""
name: CHAINS-GIT_URL
value: $(tasks.clone-repository.results.url)
- description: ""
name: CHAINS-GIT_COMMIT
value: $(tasks.clone-repository.results.commit)
- description: ""
name: GO_VERSION
value: $(tasks.verify-go-mod-tidy.results.GO_VERSION)

workspaces:
- name: git-auth

tasks:

- name: post-metric-start
taskRef: *post-bigquery-metrics-ref

- name: init
params:
- name: enable-cache-proxy
value: $(params.enable-cache-proxy)
taskRef:
params:
- name: name
value: init
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19
- name: kind
value: task
resolver: bundles

- name: clone-repository
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.revision)
- name: depth
value: $(params.clone-depth)
- name: fetchTags
value: $(params.clone-fetch-tags)
- name: ociStorage
value: $(params.output-image-repo):konflux-$(params.revision).git
- name: ociArtifactExpiresAfter
value: $(params.oci-artifact-expires-after)
taskRef:
params:
- name: name
value: git-clone-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9
- name: kind
value: task
resolver: bundles
workspaces:
- name: basic-auth
workspace: git-auth

- name: prefetch-dependencies
params:
- name: input
value: $(params.prefetch-input)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image-repo):konflux-$(params.revision).prefetch
- name: ociArtifactExpiresAfter
value: $(params.oci-artifact-expires-after)
taskRef:
params:
- name: name
value: prefetch-dependencies-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a579d00fe370b6d9a1cb1751c883ecd0ec9f663604344e2fd61e1f6d5bf4e990
- name: kind
value: task
resolver: bundles
workspaces:
- name: git-basic-auth
workspace: git-auth

- name: verify-go-mod-tidy
params:
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
taskSpec:
params:
- name: SOURCE_ARTIFACT
type: string
- name: CACHI2_ARTIFACT
type: string
results:
- name: GO_VERSION
description: Go version used for validation
steps:
- name: verify
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c
script: |
#!/bin/bash
set -euo pipefail

# Install oras CLI
echo "=== Installing oras ==="
curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
tar -xzf oras_1.1.0_linux_amd64.tar.gz
chmod +x oras
mv oras /usr/local/bin/

# Extract source and Cachi2 artifacts from OCI storage
echo "=== Extracting source artifact ==="
SOURCE_OCI_PATH="${SOURCE_ARTIFACT#oci::}"
mkdir -p /workspace/source
oras pull -o /workspace/source "$SOURCE_OCI_PATH"

echo "=== Extracting Cachi2 artifact ==="
CACHI2_OCI_PATH="${CACHI2_ARTIFACT#oci::}"
mkdir -p /workspace/cachi2
oras pull -o /workspace/cachi2 "$CACHI2_OCI_PATH"

cd /workspace/source

# Inject Cachi2 environment for hermetic build
if [ -f /workspace/cachi2/cachi2.env ]; then
echo "=== Sourcing Cachi2 environment ==="
set +u
source /workspace/cachi2/cachi2.env
set -u
else
echo "WARNING: cachi2.env not found, proceeding without hermetic environment"
fi
Comment on lines +200 to +207
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fail fast when cachi2.env is missing.

This check is supposed to validate the hermetic path, and the paired PipelineRun always supplies prefetch-input. Continuing without cachi2.env can turn a broken prefetch/configuration into a false green run.

Suggested fix 
-          if [ -f /workspace/cachi2/cachi2.env ]; then
-            echo "=== Sourcing Cachi2 environment ==="
-            set +u
-            source /workspace/cachi2/cachi2.env
-            set -u
-          else
-            echo "WARNING: cachi2.env not found, proceeding without hermetic environment"
-          fi
+          if [ ! -f /workspace/cachi2/cachi2.env ]; then
+            echo "ERROR: cachi2.env not found; aborting because this validation must run hermetically"
+            exit 1
+          fi
+          echo "=== Sourcing Cachi2 environment ==="
+          set +u
+          source /workspace/cachi2/cachi2.env
+          set -u
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [ -f /workspace/cachi2/cachi2.env ]; then
echo "=== Sourcing Cachi2 environment ==="
set +u
source /workspace/cachi2/cachi2.env
set -u
else
echo "WARNING: cachi2.env not found, proceeding without hermetic environment"
fi
if [ ! -f /workspace/cachi2/cachi2.env ]; then
echo "ERROR: cachi2.env not found; aborting because this validation must run hermetically"
exit 1
fi
echo "=== Sourcing Cachi2 environment ==="
set +u
source /workspace/cachi2/cachi2.env
set -u
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.tekton/go-mod-validation-pipeline.yaml around lines 193 - 200, The current
shell block silently continues if /workspace/cachi2/cachi2.env is missing;
change it to fail-fast by exiting with a non-zero status when the file is not
found. Modify the existing if/else that checks /workspace/cachi2/cachi2.env so
that the else branch echoes a clear error (e.g., "ERROR: cachi2.env not found")
and calls exit 1, ensuring the PipelineRun/prefetch-input validation cannot be
bypassed.


# Report Go version
echo "=== Go Version Check ==="
go version | tee $(results.GO_VERSION.path)

# Run go mod tidy - will fail if Go version is incompatible
echo "=== Running go mod tidy ==="
go mod tidy

echo "=== SUCCESS: Go version is compatible with go.mod requirements ==="
env:
- name: SOURCE_ARTIFACT
value: $(params.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(params.CACHI2_ARTIFACT)
Loading