Skip to content

feat(EC-1868): use conforma/tekton-catalog for verify-conforma task#2271

Merged
johnbieren merged 2 commits into
konflux-ci:developmentfrom
simonbaird:use-conforma-tekton-catalog-devel
Jun 15, 2026
Merged

feat(EC-1868): use conforma/tekton-catalog for verify-conforma task#2271
johnbieren merged 2 commits into
konflux-ci:developmentfrom
simonbaird:use-conforma-tekton-catalog-devel

Conversation

@simonbaird

@simonbaird simonbaird commented Jun 4, 2026

Copy link
Copy Markdown
Member

Summary

  • Switch the git resolver URL from conforma/cli to conforma/tekton-catalog for the verify-conforma task
  • Hard-code the revision SHA (515fb114f8cfeb9206ec5ffb90a6f9cf851cc941) instead of using the verify_ec_task_git_revision param, reducing indirection
  • Keep the verify_ec_task_git_revision param (unused) for backwards compatibility

Jira: https://redhat.atlassian.net/browse/EC-1868

🤖 Generated with Claude Code

(Human generated explanation): The high level philosophy here is that there are way too many moving parts between a code change and a production update. Hard coding the sha here seems like a drastic change, but it actually removes several of those moving parts and hence removes a lot of complexity, making it much easier to know and reason about what is currently deployed, and how can it can be updated. The downside in the trade-off (larger commits to bump the digest) is minor, since we'll use some automation to handle it. Also note, this is part of a larger effort to introduce some pre-deploy testing, where a pinned Conforma CLI is tested with a pinned Conforma policy bundle, then, if and only if everything is green, the entire change is rolled out to RH Konflux prod with a single sha or digest change PR.

@qodo-code-review

qodo-code-review Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

PR Reviewer Guide 🔍

(Review updated until commit 49df432)

Warning

/review is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶

EC-1868 - Partially compliant

Compliant requirements:

  • Update the Conforma verify task references in all pipelines in release-service-catalog to use conforma/tekton-catalog instead of the current source.
  • Set the task revision to the latest commit on the konflux branch (currently 515fb11).

Non-compliant requirements:

(empty)

Requires further human verification:

  • Confirm that 515fb114f8cfeb9206ec5ffb90a6f9cf851cc941 is still the latest commit on the konflux branch at merge time.
⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Maintainability

The Conforma task revision is hard-coded to a specific SHA. This improves determinism, but it also makes updates require repo-wide YAML changes and increases the chance of version drift across pipelines if a future update is partially applied. Consider centralizing the SHA (e.g., via a shared param/value injected consistently) or adding a clear, single source-of-truth comment/automation hook for bumping it.

  value: https://github.com/conforma/tekton-catalog
- name: revision
  value: "515fb114f8cfeb9206ec5ffb90a6f9cf851cc941"
- name: pathInRepo
  value: "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml"
Backwards-compat

verify_ec_task_git_revision is kept but marked deprecated/ignored with a default of ignored. This could be confusing for consumers that still set it (or validate param presence). Consider setting a neutral default (empty string) and/or adding a note in the pipeline description/docs about planned removal and ensuring no downstream tooling relies on the previous behavior.

- name: verify_ec_task_git_revision
  type: string
  description: Previously used for the Conforma task git resolver, now deprecated and ignored
  default: ignored
- name: taskGitUrl
Docs accuracy

The parameter table now marks verify_ec_task_git_revision as required (Yes) while also stating it is deprecated and ignored with default ignored. Consider marking it as optional (No) (or explicitly documenting that it is accepted-but-unused) to avoid misleading users and tooling that reads these README tables.

| verify_ec_task_git_revision     | Previously used for the Conforma task git resolver, now deprecated and ignored                                                     | Yes      | ignored                                                   |
| taskGitUrl                      | The url to the git repo where the release-service-catalog tasks to be used are stored                                              | Yes      | https://github.com/konflux-ci/release-service-catalog.git |

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

No code suggestions found for the PR.

@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from e1863ce to a936723 Compare June 4, 2026 21:20
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/fbc-release/fbc-release.yaml Outdated
@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from a936723 to dc140df Compare June 4, 2026 21:26
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/e2e/e2e.yaml Outdated
@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from dc140df to 04bd442 Compare June 4, 2026 21:32
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/e2e/e2e.yaml
@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from 04bd442 to c1f0c5d Compare June 4, 2026 21:50
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

No code suggestions found for the PR.

@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from c1f0c5d to 0673ac9 Compare June 4, 2026 21:52
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/e2e/e2e.yaml
@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from 0673ac9 to 1a5a43a Compare June 4, 2026 21:54
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

No code suggestions found for the PR.

@qodo-code-review

Copy link
Copy Markdown
Contributor

Failed to generate code suggestions for PR

@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from 1a5a43a to 49df432 Compare June 4, 2026 21:59
@simonbaird

Copy link
Copy Markdown
Member Author

Sorry for the noise, readme linter is not enjoying this PR.

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment thread pipelines/managed/e2e/e2e.yaml
@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch 2 times, most recently from 0c592a3 to 41ee262 Compare June 12, 2026 15:30
@simonbaird

Copy link
Copy Markdown
Member Author

FYI latest revision includes a simple bash script that can be used to bump the sha. I'm intentionally not putting any workflow or CI around that now, since I think it's better to do that in another PR after this one is merged.

@simonbaird

Copy link
Copy Markdown
Member Author

Saw this on the current failure:

Error from server (Conflict): error when creating "/tmp/tmp.fVLWcneJdF/managed-resources.yaml": Operation cannot be fulfilled on resourcequotas "konflux": the object has been modified; please apply your changes to the latest version and try again

@simonbaird

Copy link
Copy Markdown
Member Author

/retest

@simonbaird

simonbaird commented Jun 12, 2026

Copy link
Copy Markdown
Member Author

FWIW I think the / retest is not supposed to redo all the passing pipelines. See SRVKP-11112 and SRVKP-7236

Switch the git resolver from conforma/cli to conforma/tekton-catalog
and hard-code the revision SHA instead of using the
verify_ec_task_git_revision param, which is defined in a configmap
with its own change workflow in another repo.

The param is kept for backwards compatibility but its value is now
ignored.

The motivation for this change is that we want to have a simple and
clear atomic roll-out (and roll-back if needed) workflow for
Conforma updates. The current system where the reference is in a
configmap and gets passed as a param makes that difficult.

Also, the current conforma/cli git resolver reference has the
disadvantage of not using a pinned version of the Conforma CLI,
hence a change merged to main branch Conforma goes live instantly.
The conforma/tekton-catalog definition does not have this problem,
since the cli image used by the task is pinned there, updates only
go live when the git sha ref we're introducing in this PR gets
updated.

Also in this PR: Add a todo about the one instance of the task (in
the calunga-push-to-pulp pipeline) that might need some more careful
testing before updating. Since the version of the task it's
currently using is almost a year old, there's a chance the params
need to be changed. To reduce the risk of breaking something, and
because I don't have a good way to test the calunga-push-to-pulp
pipeline, I don't want to do it in this PR, so to be cautious I'm
leaving it alone and flagging it as a todo for someone else to fix
later.

Signed-off-by: Simon Baird <sbaird@redhat.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
This could be run automatically in future, but right now I'm running
it manually.

Also in this commit, check in the results of running the script so
we bump the actual git sha. Note that it updated it also in the todo
comments, which I think is a feature.

Signed-off-by: Simon Baird <sbaird@redhat.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
@simonbaird simonbaird force-pushed the use-conforma-tekton-catalog-devel branch from 41ee262 to 4d0a9de Compare June 12, 2026 16:24
@simonbaird

Copy link
Copy Markdown
Member Author

After a few retries, we now have passing CI.

@ach912 ach912 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@seanconroy2021

seanconroy2021 commented Jun 15, 2026

Copy link
Copy Markdown
Member

FWIW I think the / retest is not supposed to redo all the passing pipelines. See SRVKP-11112 and SRVKP-7236

Oh that is very interesting. Most of the time when we do a "retest" it re-runs all the pipelines again even the passing ones.

@johnbieren johnbieren left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a followup ticket to stop passing the revision from the operator (https://github.com/konflux-ci/release-service/blob/main/controllers/release/adapter.go#L1268)?

@ach912

ach912 commented Jun 15, 2026

Copy link
Copy Markdown

Production Approval Record

Field Value
Action APPROVED
Reviewer @ach912
Timestamp 2026-06-15T15:15:03.166Z

Approved

@johnbieren johnbieren added this pull request to the merge queue Jun 15, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 15, 2026
@johnbieren johnbieren added this pull request to the merge queue Jun 15, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 15, 2026
@johnbieren johnbieren added this pull request to the merge queue Jun 15, 2026
@simonbaird

Copy link
Copy Markdown
Member Author

Is there a followup ticket to stop passing the revision from the operator (https://github.com/konflux-ci/release-service/blob/main/controllers/release/adapter.go#L1268)?

Not yet, but that's a good idea.

Merged via the queue into konflux-ci:development with commit 08805f5 Jun 15, 2026
33 checks passed
@qodo-app-for-konflux-ci qodo-app-for-konflux-ci Bot mentioned this pull request Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants