Skip to content

Commit e618a4e

Browse files
committed
fix(RELEASE-2407): populate advisory URL on idempotent re-release
Adds an update-cr-status-skipped task to the rh-advisories pipeline that runs only when skip_release=true, reading the advisory URL resolved by filter-already-released-advisory-images and patching the release CR status accordingly. Signed-off-by: Elena German <elgerman@redhat.com> Assisted-by: Claude
1 parent f473e69 commit e618a4e

3 files changed

Lines changed: 212 additions & 0 deletions

File tree

pipelines/managed/rh-advisories/README.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,19 @@ This is a copy of v3.0.0 of the rh-push-to-registry-redhat-io pipeline, but with
55
tasks added in. The plan is for this pipeline to eventually be deleted and take the place of
66
the rh-push-to-registry-redhat-io pipeline.
77

8+
## Idempotent re-release behavior
9+
10+
When the same snapshot is released a second time, the filter-already-released-advisory-images
11+
task detects that all images are already published in an existing advisory and sets
12+
skip_release=true. In this case all normal release tasks (signing, pushing, advisory creation,
13+
etc.) are skipped.
14+
15+
To ensure release.status.artifacts.advisory.url is still populated after an idempotent
16+
re-release, the pipeline includes a dedicated update-cr-status-skipped task that runs only
17+
when skip_release=true. It reads the advisory URL written to the results directory by
18+
filter-already-released-advisory-images and patches the Release CR status in the same way
19+
the normal update-cr-status task does on the first release.
20+
821
## Parameters
922

1023
| Name | Description | Optional | Default value |

pipelines/managed/rh-advisories/rh-advisories.yaml

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,19 @@ spec:
1212
This is a copy of v3.0.0 of the rh-push-to-registry-redhat-io pipeline, but with the advisory
1313
tasks added in. The plan is for this pipeline to eventually be deleted and take the place of
1414
the rh-push-to-registry-redhat-io pipeline.
15+
16+
## Idempotent re-release behavior
17+
18+
When the same snapshot is released a second time, the filter-already-released-advisory-images
19+
task detects that all images are already published in an existing advisory and sets
20+
skip_release=true. In this case all normal release tasks (signing, pushing, advisory creation,
21+
etc.) are skipped.
22+
23+
To ensure release.status.artifacts.advisory.url is still populated after an idempotent
24+
re-release, the pipeline includes a dedicated update-cr-status-skipped task that runs only
25+
when skip_release=true. It reads the advisory URL written to the results directory by
26+
filter-already-released-advisory-images and patches the Release CR status in the same way
27+
the normal update-cr-status task does on the first release.
1528
params:
1629
- name: release
1730
type: string
@@ -1120,6 +1133,41 @@ spec:
11201133
value: tasks/managed/update-cr-status/update-cr-status.yaml
11211134
runAfter:
11221135
- create-advisory
1136+
- name: update-cr-status-skipped
1137+
when:
1138+
- input: "$(tasks.filter-already-released-advisory-images.results.skip_release)"
1139+
operator: in
1140+
values: ["true"]
1141+
params:
1142+
- name: resource
1143+
value: $(params.release)
1144+
- name: resultsDirPath
1145+
value: $(tasks.collect-data.results.resultsDir)
1146+
- name: ociStorage
1147+
value: $(params.ociStorage)
1148+
- name: resultArtifacts
1149+
value:
1150+
- "$(tasks.filter-already-released-advisory-images.results.sourceDataArtifact)=$(params.dataDir)"
1151+
- name: dataDir
1152+
value: $(params.dataDir)
1153+
- name: trustedArtifactsDebug
1154+
value: "$(params.trustedArtifactsDebug)"
1155+
- name: taskGitUrl
1156+
value: "$(params.taskGitUrl)"
1157+
- name: taskGitRevision
1158+
value: "$(params.taskGitRevision)"
1159+
taskRef:
1160+
resolver: "git"
1161+
params:
1162+
- name: url
1163+
value: $(params.taskGitUrl)
1164+
- name: revision
1165+
value: $(params.taskGitRevision)
1166+
- name: pathInRepo
1167+
value: tasks/managed/update-cr-status/update-cr-status.yaml
1168+
runAfter:
1169+
- filter-already-released-advisory-images
1170+
- collect-data
11231171
finally:
11241172
- name: cleanup-internal-requests
11251173
taskRef:
Lines changed: 151 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Pipeline
4+
metadata:
5+
name: test-update-cr-status-advisory-from-filter
6+
spec:
7+
description: |
8+
Run the update-cr-status task with a single resultArtifact that contains only
9+
the filter-already-released-advisory-images results file — the same setup used
10+
by the update-cr-status-skipped pipeline task on the idempotent re-release path
11+
(skip_release=true). The task should patch the Release CR status with
12+
advisory.url and advisory.internal_url.
13+
params:
14+
- name: ociStorage
15+
description: The OCI repository where the Trusted Artifacts are stored.
16+
type: string
17+
- name: ociArtifactExpiresAfter
18+
description: Expiration date for the trusted artifacts created in the
19+
OCI repository. An empty string means the artifacts do not expire.
20+
type: string
21+
default: "1d"
22+
- name: orasOptions
23+
description: oras options to pass to Trusted Artifacts calls
24+
type: string
25+
default: "--insecure"
26+
- name: trustedArtifactsDebug
27+
description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.
28+
type: string
29+
default: ""
30+
- name: dataDir
31+
description: The location where data will be stored
32+
type: string
33+
tasks:
34+
- name: setup
35+
taskSpec:
36+
results:
37+
- name: sourceDataArtifact
38+
type: string
39+
volumes:
40+
- name: workdir
41+
emptyDir: {}
42+
stepTemplate:
43+
volumeMounts:
44+
- mountPath: /var/workdir
45+
name: workdir
46+
env:
47+
- name: IMAGE_EXPIRES_AFTER
48+
value: $(params.ociArtifactExpiresAfter)
49+
- name: "ORAS_OPTIONS"
50+
value: "$(params.orasOptions)"
51+
- name: "DEBUG"
52+
value: "$(params.trustedArtifactsDebug)"
53+
steps:
54+
- name: setup
55+
image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
56+
script: |
57+
#!/usr/bin/env bash
58+
set -eux
59+
60+
RESULTS_DIR="$(params.dataDir)/$(context.pipelineRun.uid)/results"
61+
mkdir -p "$RESULTS_DIR"
62+
63+
# Simulate the results file written by filter-already-released-advisory-images
64+
# when all snapshot images are already published in an existing advisory
65+
FILTER_RESULTS="$RESULTS_DIR/filter-already-released-advisory-images-results.json"
66+
cat > "$FILTER_RESULTS" << EOF
67+
{
68+
"advisory": {
69+
"url": "https://access.redhat.com/errata/RHSA-2024:12345",
70+
"internal_url": "https://errata.devel.redhat.com/advisory/12345"
71+
}
72+
}
73+
EOF
74+
75+
cat > "$(params.dataDir)/$(context.pipelineRun.uid)/release" << EOF
76+
apiVersion: appstudio.redhat.com/v1alpha1
77+
kind: Release
78+
metadata:
79+
name: release-cr-status-advisory
80+
namespace: default
81+
spec:
82+
snapshot: foo
83+
releasePlan: foo
84+
EOF
85+
kubectl apply -f "$(params.dataDir)/$(context.pipelineRun.uid)/release"
86+
- name: create-trusted-artifact
87+
ref:
88+
name: create-trusted-artifact
89+
params:
90+
- name: ociStorage
91+
value: $(params.ociStorage)
92+
- name: workDir
93+
value: $(params.dataDir)
94+
- name: sourceDataArtifact
95+
value: $(results.sourceDataArtifact.path)
96+
- name: run-task
97+
taskRef:
98+
name: update-cr-status
99+
params:
100+
- name: resource
101+
value: default/release-cr-status-advisory
102+
- name: resultsDirPath
103+
value: $(context.pipelineRun.uid)/results
104+
- name: dataDir
105+
value: $(params.dataDir)
106+
- name: ociStorage
107+
value: $(params.ociStorage)
108+
- name: orasOptions
109+
value: $(params.orasOptions)
110+
- name: trustedArtifactsDebug
111+
value: $(params.trustedArtifactsDebug)
112+
- name: resultArtifacts
113+
value:
114+
- "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)"
115+
- name: taskGitUrl
116+
value: "http://localhost"
117+
- name: taskGitRevision
118+
value: "main"
119+
runAfter:
120+
- setup
121+
- name: check-result
122+
taskSpec:
123+
steps:
124+
- name: check-result
125+
image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
126+
script: |
127+
#!/usr/bin/env bash
128+
set -eux
129+
130+
echo Test that Release.Status contains advisory.url from the filter task results
131+
test "$(kubectl get release release-cr-status-advisory -n default \
132+
-o jsonpath='{.status.artifacts.advisory.url}')" \
133+
== "https://access.redhat.com/errata/RHSA-2024:12345"
134+
135+
echo Test that Release.Status contains advisory.internal_url from the filter task results
136+
test "$(kubectl get release release-cr-status-advisory -n default \
137+
-o jsonpath='{.status.artifacts.advisory.internal_url}')" \
138+
== "https://errata.devel.redhat.com/advisory/12345"
139+
runAfter:
140+
- run-task
141+
finally:
142+
- name: cleanup
143+
taskSpec:
144+
steps:
145+
- name: delete-crs
146+
image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
147+
script: |
148+
#!/usr/bin/env sh
149+
set -eux
150+
151+
kubectl delete release release-cr-status-advisory

0 commit comments

Comments
 (0)