Skip to content

Commit f976089

Browse files
scohebclaude
andcommitted
feat(HUM-2061): optimize filter-advisory-rpms task
Refactor managed and internal filter tasks for large advisory handling with oras auth and credential setup. Fix arg-too-long errors using file-based processing. Optimize purl-to-advisory mapping performance. Treat unpublished advisory RPMs as unreleased. Restore advisory as authoritative source of truth. Add direct task results for test validation. Add internal pipeline and unit tests. Update local test runner. Unquote ORAS_OPTIONS to prevent empty arg: when ORAS_OPTIONS is empty, "${ORAS_OPTIONS:-}" produces an empty string argument that oras interprets as the reference, causing "invalid reference: missing registry or repository". Add shellcheck disable directives for the intentionally unquoted variable. Signed-off-by: Scott Hebert <shebert@redhat.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 6929647 commit f976089

11 files changed

Lines changed: 533 additions & 199 deletions

File tree

pipelines/internal/filter-already-released-advisory-rpms/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,5 +11,7 @@ It returns lists of unreleased RPMs and RPMs found in advisories for digest vali
1111
| origin | The origin workspace where the release CR comes from | No | - |
1212
| advisory_secret_name | The name of the secret that contains the advisory GitLab metadata | No | - |
1313
| internalRequestPipelineRunName | Name of the PipelineRun that requested this pipeline | No | - |
14+
| ociStorage | The OCI repository to store results artifact | No | - |
1415
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
1516
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
17+
| orasOptions | oras options to pass to oras calls | Yes | "" |

pipelines/internal/filter-already-released-advisory-rpms/filter-already-released-advisory-rpms.yaml

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,20 @@ spec:
2323
- name: internalRequestPipelineRunName
2424
type: string
2525
description: Name of the PipelineRun that requested this pipeline
26+
- name: ociStorage
27+
type: string
28+
description: The OCI repository to store results artifact
2629
- name: taskGitUrl
2730
type: string
2831
description: The url to the git repo where the release-service-catalog tasks to be used are stored
2932
default: https://github.com/konflux-ci/release-service-catalog.git
3033
- name: taskGitRevision
3134
type: string
3235
description: The revision in the taskGitUrl repo to be used
36+
- name: orasOptions
37+
type: string
38+
description: oras options to pass to oras calls
39+
default: ""
3340
tasks:
3441
- name: filter-already-released-advisory-rpms-task
3542
taskRef:
@@ -50,13 +57,15 @@ spec:
5057
value: $(params.advisory_secret_name)
5158
- name: internalRequestPipelineRunName
5259
value: $(params.internalRequestPipelineRunName)
60+
- name: ociStorage
61+
value: $(params.ociStorage)
62+
- name: orasOptions
63+
value: $(params.orasOptions)
5364
results:
5465
- name: result
5566
value: $(tasks.filter-already-released-advisory-rpms-task.results.result)
56-
- name: unreleased_rpms
57-
value: $(tasks.filter-already-released-advisory-rpms-task.results.unreleased_rpms)
58-
- name: in_advisory_rpms
59-
value: $(tasks.filter-already-released-advisory-rpms-task.results.in_advisory_rpms)
67+
- name: filter_results_artifact
68+
value: $(tasks.filter-already-released-advisory-rpms-task.results.filter_results_artifact)
6069
- name: advisory_url
6170
value: $(tasks.filter-already-released-advisory-rpms-task.results.advisory_url)
6271
- name: advisory_internal_url

scripts/run-local-tests.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -277,7 +277,7 @@ classify_tasks() {
277277
continue
278278
fi
279279

280-
# Check if task supports Trusted Artifacts (uses TA step actions)
280+
# Check if task needs OCI registry (uses TA step actions)
281281
if grep -q "name: use-trusted-artifact\|name: create-trusted-artifact" "$task_file"; then
282282
trusted_artifacts_tasks+=("$item")
283283
else

tasks/internal/filter-already-released-advisory-rpms-task/README.md

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,14 @@ RPMs found in advisories (for digest validation by the calling task).
66

77
## Parameters
88

9-
| Name | Description | Optional | Default value |
10-
|--------------------------------|-----------------------------------------------------------------------|----------|---------------|
11-
| transformedSnapshot | Base64 string of gzipped JSON array of RPM entries with purls | No | - |
12-
| origin | The origin workspace for the release CR | No | - |
13-
| advisory_secret_name | Name of the secret containing advisory GitLab metadata | No | - |
14-
| internalRequestPipelineRunName | Name of the PipelineRun that requested this task | No | - |
15-
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
16-
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
9+
| Name | Description | Optional | Default value |
10+
|-------------------------------------------------|--------------------------------------------------------------------------------------------|----------|-----------------------------------------------------|
11+
| transformedSnapshot | Base64 string of gzipped JSON array of RPM entries with purls | No | - |
12+
| origin | The origin workspace for the release CR | No | - |
13+
| advisory_secret_name | Name of the secret containing advisory GitLab metadata | No | - |
14+
| internalRequestPipelineRunName | Name of the PipelineRun that requested this task | No | - |
15+
| ociStorage | The OCI repository to store results artifact | No | - |
16+
| trusted_artifacts_dockerconfig_json_secret_name | The name of the secret that contains the dockerconfig json for trusted artifact operations | Yes | quay-token-konflux-release-trusted-artifacts-secret |
17+
| orasOptions | oras options to pass to oras calls | Yes | "" |
18+
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
19+
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |

0 commit comments

Comments
 (0)