feat(ISV-7320): sign-index-image task uses direct container signing#1
Draft
JakubDurkac wants to merge 24 commits into
Draft
feat(ISV-7320): sign-index-image task uses direct container signing#1JakubDurkac wants to merge 24 commits into
JakubDurkac wants to merge 24 commits into
Conversation
e0cc396 to
0b3fdd0
Compare
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
From release-service-utils update to to always clean up the checksum host. PR 820 Use a finally block to ensure the checksum host is always cleaned up rather than only on the successful path. Assisted-by: Cursor AI Signed-off-by: Scott Wickersham <swickers@redhat.com>
Replace the inline bash script with a call to the Python script in the release-service-utils image. Assisted-by: Claude Code Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
Replace the inline bash script in the make-repo-public task step with a call to the Python make_repo_public module from release-service-utils. The task step now sets environment variables and invokes the script via command instead of embedding the logic in a script block. Add TLS and POST method support to the mock_http_json test framework so tasks that call HTTPS endpoints with non-GET methods can use the lightweight mocks.yaml approach instead of deploying full Kubernetes services. Assisted-by: Cursor Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
this PR adds multi component optin scenario for fbc builds and in addition fixes the sitation when pyxis url is not changed to stage when pyxisServer parameter is "stage". - adds pyxisUrl to check-fbc-opt-in pipeline and task - keep default values only in the pipeline file - add tests - use stage pyxis url when pyxisServer is set to stage - update README and remove comment from kustomization.yaml Assisted-by: claude Signed-off-by: Leandro Mendes <lmendes@redhat.com>
call utils script from filter-already-released-advisory-images task Signed-off-by: Elena German <elgerman@redhat.com> Assisted-by: Claude
Update update-infra-deployments task with new utils image that contains the fix for the PR references in changelog commit messages. Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
Replace the inline bash script with a call to the Python script in the release-service-utils image. Tekton test mocks are converted to the declarative mocks.yaml pattern compatible with the Python entrypoint, and scenario-specific tests that are now covered by pytest in the utils repo are removed. Assisted-by: Claude Code Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
This reverts commit 9a589d4. Due to a bug in the Python script, reused IIB builds cause missing iibLog result, failing PipelineRuns with CouldntGetPipelineResult. Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
The jira_ci.py script no longer works after the Jira migration. Replace it with a call to a Jira Automation webhook that handles ticket updates (label swaps, comments, transitions) via an automation rule. The parsed tickets payload format has changed to group PRs by ticket, as Jira Automation's smart values cannot correlate individual entries back to the current issue being processed. Requires JIRA_AUTOMATION_WEBHOOK_URL and JIRA_AUTOMATION_WEBHOOK_TOKEN repository secrets. Assisted-by: Cursor Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
Remove unreleased_rpms and in_advisory_rpms results from the internal task to fix Tekton's 4096-byte termination message limit being exceeded when the RPM list is large. The same data is already passed via the OCI artifact (filter_results_artifact) which the managed task consumes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Scott Hebert <scoheb@gmail.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
…83d9c2d Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
This commit replaces the inline task script for publish-pyxis-repository with a standalone python script contained in the utils image. The tekton unit tests are updated accordingly. We only keep one happy path test as the other scenarios are covered by pytest in the utils repo. Assisted-By: Cursor Signed-off-by: Johnny Bieren <jbieren@redhat.com>
This commit replaces the inline task script for the get-advisory-severity internal task with a standalone python script contained in the utils image. The tekton unit tests are updated accordingly. We only keep one happy path test as the other scenarios are covered by pytest in the utils repo. Assisted-By: Cursor Signed-off-by: Johnny Bieren <jbieren@redhat.com>
Replace the inline bash script with a call to the python check_labels.py script from release-service-utils. Remove all bash-era test files superseded by python unit tests. Assisted-by: Cursor Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
Binary components that push only to the customer portal must nest their files under staged.files to drive Pulp destination routing. The binary code path in populate-release-notes only looked at .files directly on the component, so FILES_LENGTH evaluated to 0 and releaseNotes.content was never written, causing check-data-keys to fail schema validation. The binary path in create-advisory had the same gap when resolving filenames for PURL construction. Both tasks now fall back to staged.files when .files is absent. Existing behaviour for components with a top-level .files array is unchanged. Assisted-by: Cursor AI Signed-off-by: Scott Wickersham <swickers@redhat.com>
Replace the 8 embedded bash steps in push-artifacts-to-cdn-task with calls to a single standalone Python script from release-service-utils. Assisted-by: Cursor AI Signed-off-by: Scott Wickersham <swickers@redhat.com>
Update the conforma tekton-catalog revision for the verify-conforma-konflux-ta task across all managed pipelines. This change contains a patch to help teams switch to the new trusted_task_rules schema. Signed-off-by: jstuart@redhat.com Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jindrich Luza <jluza@redhat.com>
New Tekton task for signing FBC index images via the container-signing pipeline. The task has similar functionality to old sign-index-image task, but it uses direct container signing instead of Radas/UMB solution. Also, it outsources all the existing core logic from bash to a new python util it invokes - direct_sign_index_image.py, passing all parameters as CLI arguments. - Passes signing params (pyxis-server, pipeline, pipeline-image, requester, batch-max-size, etc.) as CLI arguments to Python - Pyxis secret mounted at /etc/secrets, paths set via env vars - Includes Tekton integration test using Python mock pattern - Generated README from task YAML Assisted-by: Claude Opus 4.6 Signed-off-by: Jakub Durkac <jdurkac@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE:
This PR adds new direct-sign-index-image tekton task that is meant to match a new python utility direct_sign_index_image.py developed in release-service-utils repo (konflux-ci/release-service-utils#823).
CHANGES FROM THE OLDER VERSION OF THE TASK (sign-index-image):
Replaces inline bash signing logic with a call to prepare_index_image_signing (Python, from release-service-utils). Switches the default pipeline from simple-signing-pipeline to container-signing, passing signing_requests and pipeline_image instead of per-item references/digests/repositories and UMB params.
Requests to the new direct signing pipeline as well as all other logic was moved into the new python util direct_sign_index_image.py. This task is only responsible to call it with the right parameters.
Assisted-by: Claude Opus 4.6
Relevant Jira
ISV-7320
Checklist before requesting a review
do not mergelabel if there's a dependency PRrelease-service-maintainershandle if you are unsure who to tagSigned-off-by: My name <email>.github/scripts/readme_generator.shand verified the results using.github/scripts/check_readme.shAssisted-By: Cursor