Skip to content

Commit a7d37b4

Browse files
scohebclaude
andcommitted
feat(HUM-2061): optimize filter-advisory-rpms task
Add OCI artifact support, improve advisory matching, and fix ORAS_OPTIONS quoting that caused empty arg errors. Signed-off-by: Scott Hebert <shebert@redhat.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 87e4b26 commit a7d37b4

11 files changed

Lines changed: 533 additions & 199 deletions

File tree

pipelines/internal/filter-already-released-advisory-rpms/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,5 +11,7 @@ It returns lists of unreleased RPMs and RPMs found in advisories for digest vali
1111
| origin | The origin workspace where the release CR comes from | No | - |
1212
| advisory_secret_name | The name of the secret that contains the advisory GitLab metadata | No | - |
1313
| internalRequestPipelineRunName | Name of the PipelineRun that requested this pipeline | No | - |
14+
| ociStorage | The OCI repository to store results artifact | No | - |
1415
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
1516
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
17+
| orasOptions | oras options to pass to oras calls | Yes | "" |

pipelines/internal/filter-already-released-advisory-rpms/filter-already-released-advisory-rpms.yaml

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,20 @@ spec:
2323
- name: internalRequestPipelineRunName
2424
type: string
2525
description: Name of the PipelineRun that requested this pipeline
26+
- name: ociStorage
27+
type: string
28+
description: The OCI repository to store results artifact
2629
- name: taskGitUrl
2730
type: string
2831
description: The url to the git repo where the release-service-catalog tasks to be used are stored
2932
default: https://github.com/konflux-ci/release-service-catalog.git
3033
- name: taskGitRevision
3134
type: string
3235
description: The revision in the taskGitUrl repo to be used
36+
- name: orasOptions
37+
type: string
38+
description: oras options to pass to oras calls
39+
default: ""
3340
tasks:
3441
- name: filter-already-released-advisory-rpms-task
3542
taskRef:
@@ -50,13 +57,15 @@ spec:
5057
value: $(params.advisory_secret_name)
5158
- name: internalRequestPipelineRunName
5259
value: $(params.internalRequestPipelineRunName)
60+
- name: ociStorage
61+
value: $(params.ociStorage)
62+
- name: orasOptions
63+
value: $(params.orasOptions)
5364
results:
5465
- name: result
5566
value: $(tasks.filter-already-released-advisory-rpms-task.results.result)
56-
- name: unreleased_rpms
57-
value: $(tasks.filter-already-released-advisory-rpms-task.results.unreleased_rpms)
58-
- name: in_advisory_rpms
59-
value: $(tasks.filter-already-released-advisory-rpms-task.results.in_advisory_rpms)
67+
- name: filter_results_artifact
68+
value: $(tasks.filter-already-released-advisory-rpms-task.results.filter_results_artifact)
6069
- name: advisory_url
6170
value: $(tasks.filter-already-released-advisory-rpms-task.results.advisory_url)
6271
- name: advisory_internal_url

scripts/run-local-tests.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -277,7 +277,7 @@ classify_tasks() {
277277
continue
278278
fi
279279

280-
# Check if task supports Trusted Artifacts (uses TA step actions)
280+
# Check if task needs OCI registry (uses TA step actions)
281281
if grep -q "name: use-trusted-artifact\|name: create-trusted-artifact" "$task_file"; then
282282
trusted_artifacts_tasks+=("$item")
283283
else

tasks/internal/filter-already-released-advisory-rpms-task/README.md

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,14 @@ RPMs found in advisories (for digest validation by the calling task).
66

77
## Parameters
88

9-
| Name | Description | Optional | Default value |
10-
|--------------------------------|-----------------------------------------------------------------------|----------|---------------|
11-
| transformedSnapshot | Base64 string of gzipped JSON array of RPM entries with purls | No | - |
12-
| origin | The origin workspace for the release CR | No | - |
13-
| advisory_secret_name | Name of the secret containing advisory GitLab metadata | No | - |
14-
| internalRequestPipelineRunName | Name of the PipelineRun that requested this task | No | - |
15-
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
16-
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
9+
| Name | Description | Optional | Default value |
10+
|-------------------------------------------------|--------------------------------------------------------------------------------------------|----------|-----------------------------------------------------|
11+
| transformedSnapshot | Base64 string of gzipped JSON array of RPM entries with purls | No | - |
12+
| origin | The origin workspace for the release CR | No | - |
13+
| advisory_secret_name | Name of the secret containing advisory GitLab metadata | No | - |
14+
| internalRequestPipelineRunName | Name of the PipelineRun that requested this task | No | - |
15+
| ociStorage | The OCI repository to store results artifact | No | - |
16+
| trusted_artifacts_dockerconfig_json_secret_name | The name of the secret that contains the dockerconfig json for trusted artifact operations | Yes | quay-token-konflux-release-trusted-artifacts-secret |
17+
| orasOptions | oras options to pass to oras calls | Yes | "" |
18+
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
19+
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |

0 commit comments

Comments
 (0)