diff --git a/.github/labeler.yml b/.github/labeler.yml index e00c2410a6e22..e572af38fd6cf 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -93,3 +93,8 @@ coderabbit-review: - roxctl/**/* - scripts/ci/**/ - sensor/**/* + +go-mod-check: +- changed-files: + - any-glob-to-any-file: + - go.mod diff --git a/.tekton/go-mod-validation-build.yaml b/.tekton/go-mod-validation-build.yaml new file mode 100644 index 0000000000000..dd3b9bd5f2c66 --- /dev/null +++ b/.tekton/go-mod-validation-build.yaml @@ -0,0 +1,72 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + pipelinesascode.tekton.dev/on-comment: "/konflux-retest go-mod-validation" + pipelinesascode.tekton.dev/on-cel-expression: | + event == "pull_request" && + (has(body.pull_request) && has(body.pull_request.labels) && + body.pull_request.labels.exists(l, l.name == "go-mod-check")) && + body.action != "ready_for_review" + pipelinesascode.tekton.dev/on-label: "[]" + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: go-mod-validation + pipelines.appstudio.openshift.io/type: build + name: go-mod-validation-on-push + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image-repo + # TODO: Change to quay.io/rhacs-eng/go-mod-validation once dedicated service account is created + value: quay.io/rhacs-eng/release-roxctl + - name: clone-depth + value: '1' + - name: clone-fetch-tags + value: 'false' + - name: oci-artifact-expires-after + value: '1d' + - name: prefetch-input + value: | + [ + { "type": "gomod", "path": "." } + ] + + pipelineRef: + name: go-mod-validation-pipeline + + taskRunSpecs: + - pipelineTaskName: prefetch-dependencies + stepSpecs: + - name: prefetch-dependencies + computeResources: + limits: + cpu: 2 + requests: + cpu: 2 + + taskRunTemplate: + # TODO: Change to build-pipeline-go-mod-validation once created + serviceAccountName: build-pipeline-roxctl + + timeouts: + tasks: 10m + finally: 2m + pipeline: 12m + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' diff --git a/.tekton/go-mod-validation-pipeline.yaml b/.tekton/go-mod-validation-pipeline.yaml new file mode 100644 index 0000000000000..86501970e5d78 --- /dev/null +++ b/.tekton/go-mod-validation-pipeline.yaml @@ -0,0 +1,222 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: go-mod-validation-pipeline +spec: + + finally: + - name: slack-notification + params: + - name: message + value: ':x: `{{event_type}}` pipeline for (`go.mod validation`, revision <$(params.git-url)/commit/$(params.revision)|$(params.revision)>) has failed.' + - name: key-name + value: 'acs-konflux-notifications' + when: + - input: $(tasks.status) + operator: in + values: ["Failed"] + taskRef: + params: + - name: name + value: slack-webhook-notification + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-slack-webhook-notification:0.1@sha256:3eff579c511d6c5e846175920e8f184a87337e142bbc4c30107e76bda4a325cb + - name: kind + value: task + resolver: bundles + + - name: post-metric-end + params: + - name: AGGREGATE_TASKS_STATUS + value: $(tasks.status) + taskRef: &post-bigquery-metrics-ref + params: + - name: name + value: post-bigquery-metrics + - name: bundle + value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:6d3297c7b231c086c8221087e4b315e422da4207823444a00faf411002523af0 + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository (for OCI artifacts) + name: output-image-repo + type: string + - default: "1" + description: Depth of the git clone in number of commits. Use "1" for shallow clone. Use "0" for deep clone, i.e. to fetch all commits. + name: clone-depth + type: string + - default: "false" + description: Fetch tags with git clone + name: clone-fetch-tags + type: string + - default: "1d" + description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after which they can be garbage collected. + name: oci-artifact-expires-after + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + + results: + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: GO_VERSION + value: $(tasks.verify-go-mod-tidy.results.GO_VERSION) + + workspaces: + - name: git-auth + + tasks: + + - name: post-metric-start + taskRef: *post-bigquery-metrics-ref + + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: $(params.clone-depth) + - name: fetchTags + value: $(params.clone-fetch-tags) + - name: ociStorage + value: $(params.output-image-repo):konflux-$(params.revision).git + - name: ociArtifactExpiresAfter + value: $(params.oci-artifact-expires-after) + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image-repo):konflux-$(params.revision).prefetch + - name: ociArtifactExpiresAfter + value: $(params.oci-artifact-expires-after) + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a579d00fe370b6d9a1cb1751c883ecd0ec9f663604344e2fd61e1f6d5bf4e990 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + + - name: verify-go-mod-tidy + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + taskSpec: + params: + - name: SOURCE_ARTIFACT + type: string + - name: CACHI2_ARTIFACT + type: string + results: + - name: GO_VERSION + description: Go version used for validation + steps: + - name: verify + image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c + script: | + #!/bin/bash + set -euo pipefail + + # Install oras CLI + echo "=== Installing oras ===" + curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz + tar -xzf oras_1.1.0_linux_amd64.tar.gz + chmod +x oras + mv oras /usr/local/bin/ + + # Extract source and Cachi2 artifacts from OCI storage + echo "=== Extracting source artifact ===" + SOURCE_OCI_PATH="${SOURCE_ARTIFACT#oci::}" + mkdir -p /workspace/source + oras pull -o /workspace/source "$SOURCE_OCI_PATH" + + echo "=== Extracting Cachi2 artifact ===" + CACHI2_OCI_PATH="${CACHI2_ARTIFACT#oci::}" + mkdir -p /workspace/cachi2 + oras pull -o /workspace/cachi2 "$CACHI2_OCI_PATH" + + cd /workspace/source + + # Inject Cachi2 environment for hermetic build + if [ -f /workspace/cachi2/cachi2.env ]; then + echo "=== Sourcing Cachi2 environment ===" + set +u + source /workspace/cachi2/cachi2.env + set -u + else + echo "WARNING: cachi2.env not found, proceeding without hermetic environment" + fi + + # Report Go version + echo "=== Go Version Check ===" + go version | tee $(results.GO_VERSION.path) + + # Run go mod tidy - will fail if Go version is incompatible + echo "=== Running go mod tidy ===" + go mod tidy + + echo "=== SUCCESS: Go version is compatible with go.mod requirements ===" + env: + - name: SOURCE_ARTIFACT + value: $(params.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(params.CACHI2_ARTIFACT)