From debf59c14a960ad10b7f51f3b41bcac9f9e4020d Mon Sep 17 00:00:00 2001 From: davdhacs <105243888+davdhacs@users.noreply.github.com> Date: Wed, 8 Apr 2026 14:53:53 -0600 Subject: [PATCH 1/2] fix: derive RHEL base image version from release branch Tekton config The verify-release script hardcoded rhacs-main-rhel9, which fails for releases 4.10 and below that use rhel8 base images. Instead of hardcoding a version cutoff, read the externalRepo from the release branch's .tekton/create-custom-snapshot.yaml which is the source of truth for the downstream image repository name. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/scripts/verify-release.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scripts/verify-release.sh b/.github/workflows/scripts/verify-release.sh index 8cccaaf5efbd9..c2905edd4a5fe 100644 --- a/.github/workflows/scripts/verify-release.sh +++ b/.github/workflows/scripts/verify-release.sh @@ -91,7 +91,19 @@ validate_helm_charts() { validate_images() { RELEASE_PATCH="$1" - check_docker_image "registry.redhat.io/advanced-cluster-security/rhacs-main-rhel9:${RELEASE_PATCH}" + # Derive the downstream main image repo from the release branch's Tekton config, + # which is the source of truth for whether the release uses rhel8 or rhel9 base images. + local release_branch="release-${RELEASE_PATCH%.*}" + local main_repo + main_repo=$(gh api -H "$ACCEPT_RAW" "/repos/${GITHUB_REPOSITORY}/contents/.tekton/create-custom-snapshot.yaml?ref=${release_branch}" \ + | grep -o '"externalRepo": "[^"]*rhacs-main[^"]*"' \ + | head -1 \ + | sed 's/"externalRepo": "//;s/"//') + if [[ -z "${main_repo}" ]]; then + gh_log error "Could not determine main image repo from .tekton/create-custom-snapshot.yaml on ${release_branch}" + return 1 + fi + check_docker_image "${main_repo}:${RELEASE_PATCH}" check_docker_image "quay.io/stackrox-io/main:${RELEASE_PATCH}" check_docker_image "quay.io/rhacs-eng/main:${RELEASE_PATCH}" } From 3f82e370742c1c9f62ace42c7ce9150fe1216575 Mon Sep 17 00:00:00 2001 From: David House <105243888+davdhacs@users.noreply.github.com> Date: Thu, 9 Apr 2026 08:45:26 -0600 Subject: [PATCH 2/2] optimization by @tommartensen Co-authored-by: Tom Martensen --- .github/workflows/scripts/verify-release.sh | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/.github/workflows/scripts/verify-release.sh b/.github/workflows/scripts/verify-release.sh index c2905edd4a5fe..62c700b08f430 100644 --- a/.github/workflows/scripts/verify-release.sh +++ b/.github/workflows/scripts/verify-release.sh @@ -91,19 +91,7 @@ validate_helm_charts() { validate_images() { RELEASE_PATCH="$1" - # Derive the downstream main image repo from the release branch's Tekton config, - # which is the source of truth for whether the release uses rhel8 or rhel9 base images. - local release_branch="release-${RELEASE_PATCH%.*}" - local main_repo - main_repo=$(gh api -H "$ACCEPT_RAW" "/repos/${GITHUB_REPOSITORY}/contents/.tekton/create-custom-snapshot.yaml?ref=${release_branch}" \ - | grep -o '"externalRepo": "[^"]*rhacs-main[^"]*"' \ - | head -1 \ - | sed 's/"externalRepo": "//;s/"//') - if [[ -z "${main_repo}" ]]; then - gh_log error "Could not determine main image repo from .tekton/create-custom-snapshot.yaml on ${release_branch}" - return 1 - fi - check_docker_image "${main_repo}:${RELEASE_PATCH}" + check_docker_image "registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle:${RELEASE_PATCH}" check_docker_image "quay.io/stackrox-io/main:${RELEASE_PATCH}" check_docker_image "quay.io/rhacs-eng/main:${RELEASE_PATCH}" }