feat(EC-1868): use conforma/tekton-catalog for verify-conforma task#2271
Conversation
PR Reviewer Guide 🔍(Review updated until commit 49df432)Warning
Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Warning
No code suggestions found for the PR. |
e1863ce to
a936723
Compare
PR Code Suggestions ✨Warning
Inline suggestions were posted as code suggestions. |
a936723 to
dc140df
Compare
PR Code Suggestions ✨Warning
Inline suggestions were posted as code suggestions. |
dc140df to
04bd442
Compare
PR Code Suggestions ✨Warning
Inline suggestions were posted as code suggestions. |
04bd442 to
c1f0c5d
Compare
PR Code Suggestions ✨Warning
No code suggestions found for the PR. |
c1f0c5d to
0673ac9
Compare
PR Code Suggestions ✨Warning
Inline suggestions were posted as code suggestions. |
0673ac9 to
1a5a43a
Compare
PR Code Suggestions ✨Warning
No code suggestions found for the PR. |
|
Failed to generate code suggestions for PR |
1a5a43a to
49df432
Compare
|
Sorry for the noise, readme linter is not enjoying this PR. |
PR Code Suggestions ✨Warning
Inline suggestions were posted as code suggestions. |
0c592a3 to
41ee262
Compare
|
FYI latest revision includes a simple bash script that can be used to bump the sha. I'm intentionally not putting any workflow or CI around that now, since I think it's better to do that in another PR after this one is merged. |
|
Saw this on the current failure: |
|
/retest |
|
FWIW I think the |
Switch the git resolver from conforma/cli to conforma/tekton-catalog and hard-code the revision SHA instead of using the verify_ec_task_git_revision param, which is defined in a configmap with its own change workflow in another repo. The param is kept for backwards compatibility but its value is now ignored. The motivation for this change is that we want to have a simple and clear atomic roll-out (and roll-back if needed) workflow for Conforma updates. The current system where the reference is in a configmap and gets passed as a param makes that difficult. Also, the current conforma/cli git resolver reference has the disadvantage of not using a pinned version of the Conforma CLI, hence a change merged to main branch Conforma goes live instantly. The conforma/tekton-catalog definition does not have this problem, since the cli image used by the task is pinned there, updates only go live when the git sha ref we're introducing in this PR gets updated. Also in this PR: Add a todo about the one instance of the task (in the calunga-push-to-pulp pipeline) that might need some more careful testing before updating. Since the version of the task it's currently using is almost a year old, there's a chance the params need to be changed. To reduce the risk of breaking something, and because I don't have a good way to test the calunga-push-to-pulp pipeline, I don't want to do it in this PR, so to be cautious I'm leaving it alone and flagging it as a todo for someone else to fix later. Signed-off-by: Simon Baird <sbaird@redhat.com> Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
This could be run automatically in future, but right now I'm running it manually. Also in this commit, check in the results of running the script so we bump the actual git sha. Note that it updated it also in the todo comments, which I think is a feature. Signed-off-by: Simon Baird <sbaird@redhat.com> Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
41ee262 to
4d0a9de
Compare
|
After a few retries, we now have passing CI. |
Oh that is very interesting. Most of the time when we do a "retest" it re-runs all the pipelines again even the passing ones. |
johnbieren
left a comment
There was a problem hiding this comment.
Is there a followup ticket to stop passing the revision from the operator (https://github.com/konflux-ci/release-service/blob/main/controllers/release/adapter.go#L1268)?
Production Approval Record
Approved |
Not yet, but that's a good idea. |
Summary
conforma/clitoconforma/tekton-catalogfor the verify-conforma task515fb114f8cfeb9206ec5ffb90a6f9cf851cc941) instead of using theverify_ec_task_git_revisionparam, reducing indirectionverify_ec_task_git_revisionparam (unused) for backwards compatibilityJira: https://redhat.atlassian.net/browse/EC-1868
🤖 Generated with Claude Code
(Human generated explanation): The high level philosophy here is that there are way too many moving parts between a code change and a production update. Hard coding the sha here seems like a drastic change, but it actually removes several of those moving parts and hence removes a lot of complexity, making it much easier to know and reason about what is currently deployed, and how can it can be updated. The downside in the trade-off (larger commits to bump the digest) is minor, since we'll use some automation to handle it. Also note, this is part of a larger effort to introduce some pre-deploy testing, where a pinned Conforma CLI is tested with a pinned Conforma policy bundle, then, if and only if everything is green, the entire change is rolled out to RH Konflux prod with a single sha or digest change PR.