Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
62 commits
Select commit Hold shift + click to select a range
d2db96b
Create the release pipeline for Lightwell Java artifacts
brunoapimentel Jun 24, 2026
047ec22
slan-cuan-release: Derive pulp-url and pulp-repository from RPA data …
arewm Jun 24, 2026
7f4351d
Merge branch 'konflux-ci:development' into slan-cuan-pipeline
JAVGan Jun 24, 2026
7cacff2
slan-cuan-release: Add generated README
arewm Jun 24, 2026
4ca6981
Merge pull request #2 from arewm/lightwell-pipeline
JAVGan Jun 24, 2026
25af5b4
Merge pull request #1 from konflux-lightwell/slan-cuan-pipeline
JAVGan Jun 24, 2026
7940a14
fix: use proper secret for RADAS
JAVGan Jun 24, 2026
b7637ae
Merge pull request #4 from konflux-lightwell/newbranch
JAVGan Jun 24, 2026
9cb2489
Fix path to tekton tasks in the slan-cuan pipeline
brunoapimentel Jun 24, 2026
2f55d7c
Merge pull request #6 from konflux-lightwell/fix-task-paths
brunoapimentel Jun 24, 2026
0a644ac
Add Conforma task to slan-cuan pipeline
lcarva Jun 25, 2026
fdd84d9
Merge pull request #7 from lcarva/add-conforma-task
brunoapimentel Jun 25, 2026
32d1ce3
Fix env for sign task
lcarva Jun 25, 2026
dce101d
Merge pull request #8 from lcarva/fix-env
brunoapimentel Jun 25, 2026
4e7c0ec
Remove invalid env definition
lcarva Jun 25, 2026
263ab9f
Merge pull request #9 from lcarva/fix-env
JAVGan Jun 25, 2026
91db8bf
slan-cuan-release: Derive all runtime params from snapshot and RPA data
arewm Jun 24, 2026
266e9ac
Merge pull request #10 from lcarva/e2e-saga
lcarva Jun 25, 2026
d1b7006
slan-cuan-release: Add default for taskGitRevision param
arewm Jun 24, 2026
91ad79a
slan-cuan-release: Remove shared-workspace, adopt Trusted Artifacts f…
arewm Jun 24, 2026
cbe15c0
Use TA version of conforma task
lcarva Jun 25, 2026
f515541
Merge pull request #11 from lcarva/e2e-saga
lcarva Jun 25, 2026
ddf6f9d
Add missing enterpriseContractTimeout pipeline param
lcarva Jun 25, 2026
a1ae728
Merge pull request #12 from lcarva/e2e-saga
lcarva Jun 25, 2026
2f71f2e
Use Andrew's fork of slan-cuan tasks
lcarva Jun 25, 2026
f460895
Merge pull request #13 from lcarva/e2e-saga
lcarva Jun 25, 2026
25f6918
Use slan-cuan tasks from Andrew's fork
lcarva Jun 25, 2026
d9da9a8
Merge pull request #15 from lcarva/e2e-saga
lcarva Jun 25, 2026
43d8208
fix: git references to this fork
JAVGan Jun 25, 2026
a7a5f38
Merge pull request #16 from konflux-lightwell/fix-resolver
brunoapimentel Jun 25, 2026
71d47f0
Fix slan-cuan-release pipeline parameters
brunoapimentel Jun 25, 2026
869bab8
Merge pull request #17 from konflux-lightwell/fix-params
JAVGan Jun 25, 2026
a10ac0d
fix: add correct params for slan-cuan-sign
JAVGan Jun 25, 2026
1fb7bb5
Merge pull request #18 from konflux-lightwell/fix-params
otaviof Jun 25, 2026
31417ba
fix: use proper value for sign-repo-url
JAVGan Jun 25, 2026
01fe317
Merge pull request #19 from konflux-lightwell/fix-repo-url
JAVGan Jun 25, 2026
013dac7
Use correct trusted artifact in conforma task
lcarva Jun 25, 2026
b7e7ddb
Merge pull request #20 from lcarva/e2e-saga
lcarva Jun 25, 2026
91d5e82
fix: drop radas-result-queue & radas-request-channel
JAVGan Jun 25, 2026
9dbecad
Merge pull request #21 from konflux-lightwell/fix-fix
lcarva Jun 25, 2026
a6e25d7
fix: use correct umb host for slan-cuan
JAVGan Jun 25, 2026
672ff73
fix: add docker auth to sign task
JAVGan Jun 26, 2026
7283b08
Merge pull request #22 from konflux-lightwell/auth-sign
JAVGan Jun 26, 2026
57591b8
fix: remove duplicated params
JAVGan Jun 26, 2026
437e003
Merge pull request #23 from konflux-lightwell/fixagain
brunoapimentel Jun 26, 2026
077cd87
Remove slan-cuan register task from pipeline
lcarva Jun 26, 2026
6c5d845
Merge pull request #24 from lcarva/e2e-saga
JAVGan Jun 26, 2026
959ea52
Disable references to results not populated by task
lcarva Jun 26, 2026
cf4a5a8
Merge pull request #25 from lcarva/e2e-saga
lcarva Jun 26, 2026
bf87254
Specify pulp secret name
lcarva Jun 26, 2026
ac332db
Merge pull request #26 from lcarva/e2e-saga
lcarva Jun 26, 2026
421828b
slan-cuan: pass the secrets for pulp to the task
JAVGan Jun 26, 2026
bcb8416
Merge pull request #27 from konflux-lightwell/publish_pipeline
lcarva Jun 26, 2026
0a0e306
fix: comment results from slan-cuan
JAVGan Jun 26, 2026
1dddb6d
fix: publish should use artifacts from sign
JAVGan Jun 26, 2026
19a365d
Revert "feat(RELEASE-1993): convert update-fbc-catalog-task to Python"
FilipNikolovski Jun 23, 2026
d65f995
feat(RELEASE-2466): replace Jira script with automation webhook
querti Jun 24, 2026
867589f
fix: make verify-conforma block sign task in slan-cuan pipeline
ralphbean Jun 27, 2026
27a4e9e
Merge pull request #28 from ralphbean/fix/conforma-blocks-sign
otaviof Jun 27, 2026
319940b
Revert "fix: make verify-conforma block sign task in slan-cuan pipeline"
ralphbean Jun 27, 2026
fb2b7ec
Merge pull request #29 from ralphbean/revert/conforma-blocks-sign
otaviof Jun 27, 2026
32e24d2
Use prod umb
ralphbean Jun 27, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions .github/scripts/promote_branch.sh
Original file line number Diff line number Diff line change
Expand Up @@ -263,10 +263,14 @@ add_to_parsed_tickets_json() {
pr_url="$pr_url_input"
fi

# Append the ticket and PR URL (if present) to the parsed JSON
PARSED_TICKETS_JSON="$(jq --arg ticket "$ticket" --arg pr_url "$pr_url" \
'. += [ {"ticket": $ticket} + (if $pr_url != "" then {"pr_url": $pr_url} else {} end) ]' \
<<<"$PARSED_TICKETS_JSON")"
# Upsert: if ticket exists, append PR to its prs array; otherwise add new entry
PARSED_TICKETS_JSON="$(jq --arg ticket "${ticket}" --arg pr_url "${pr_url}" '
if any(.[]; .ticket == $ticket) then
map(if .ticket == $ticket and $pr_url != "" then .prs = ((.prs + [$pr_url]) | unique) else . end)
else
. + [{ticket: $ticket, prs: (if $pr_url != "" then [$pr_url] else [] end)}]
end
' <<<"${PARSED_TICKETS_JSON}")"
}

if [ -z "${PROMOTION_TYPE}" ]; then
Expand Down
9 changes: 3 additions & 6 deletions .github/scripts/test_tekton_tasks.sh
Original file line number Diff line number Diff line change
Expand Up @@ -62,13 +62,10 @@ apply_python_command_mocks_merge() {
echo '#!/usr/bin/env bash'
echo "TASK_ENTRYPOINT=("
for w in "${entrypoint_argv[@]}"; do
# Tekton placeholders must stay unescaped so Tekton can substitute them
# (printf %q would escape the '$'). Use single quotes so that JSON
# values with embedded double quotes survive bash array construction.
# Tekton does raw text replacement on the whole script string before
# bash sees it, so single quotes do not prevent substitution.
# Do not use printf %q for Tekton placeholders: single-quoted %q output
# prevents Tekton from rewriting $(params.*) inside spec.steps[].script.
if [[ "$w" == *'$('* ]]; then
printf " '%s'\n" "$w"
printf ' "%s"\n' "$w"
else
printf ' %q\n' "$w"
fi
Expand Down
48 changes: 41 additions & 7 deletions .github/workflows/promote_branch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -200,14 +200,48 @@ jobs:
if: |
steps.promote.outcome == 'success' &&
inputs.update-jira-tickets == true &&
inputs.dry-run == false &&
steps.promote.outputs.parsed_tickets_file != ''
uses: konflux-ci/release-service-automations/jira-ci@87615e00a3a699a7cc473ed93d3203624e3b86f0 # main
with:
jira_url: "https://redhat.atlassian.net"
promotion_type: ${{ inputs.promotion-type }}
metadata_file: ${{ steps.promote.outputs.parsed_tickets_file }}
jira_token: ${{ secrets.JIRA_TOKEN }}
dry_run: ${{ inputs.dry-run }}
env:
JIRA_WEBHOOK_URL: ${{ secrets.JIRA_AUTOMATION_WEBHOOK_URL }}
JIRA_WEBHOOK_TOKEN: ${{ secrets.JIRA_AUTOMATION_WEBHOOK_TOKEN }}
PARSED_TICKETS_FILE: ${{ steps.promote.outputs.parsed_tickets_file }}
PROMOTION_TYPE: ${{ inputs.promotion-type }}
run: |
SOURCE="${PROMOTION_TYPE%-to-*}"
ENVIRONMENT="${PROMOTION_TYPE#*-to-}"

PAYLOAD=$(jq --arg env "${ENVIRONMENT}" --arg src "${SOURCE}" \
'{tickets: ., environment: $env, source: $src}' "${PARSED_TICKETS_FILE}")

TICKET_COUNT="$(jq '.tickets | length' <<< "${PAYLOAD}")"
if [ "${TICKET_COUNT}" -eq 0 ]; then
echo "No tickets to update, skipping webhook call"
exit 0
fi

echo "Calling Jira Automation webhook for ${SOURCE} -> ${ENVIRONMENT}"
echo "Tickets: $(jq -r '.[].ticket' "${PARSED_TICKETS_FILE}" | tr '\n' ' ')"

set +e
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
--retry 3 --max-time 30 \
-X POST "${JIRA_WEBHOOK_URL}" \
-H "Content-Type: application/json" \
-H "X-Automation-Webhook-Token: ${JIRA_WEBHOOK_TOKEN}" \
-d "${PAYLOAD}")
CURL_RC=$?
set -e

if [ "${CURL_RC}" -ne 0 ]; then
echo "WARNING: curl failed with exit code ${CURL_RC}"
echo "Promotion was successful but Jira update may have failed."
elif [ "${HTTP_CODE}" -eq 200 ]; then
echo "Jira Automation webhook called successfully (HTTP ${HTTP_CODE})"
else
echo "WARNING: Jira Automation webhook returned HTTP ${HTTP_CODE}"
echo "Promotion was successful but Jira update may have failed."
fi

- name: Set up Python
if: |
Expand Down
42 changes: 42 additions & 0 deletions pipelines/managed/slan-cuan-release/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# slan-cuan-release pipeline

Release pipeline for Lightwell Java artifacts (slan-cuan).

This pipeline orchestrates the complete release workflow for Java artifacts built by
PNC (Project Newcastle). All per-release configuration (image reference, signing key,
Trustify URLs, Pulp target) is derived from the Snapshot and ReleasePlanAdmission data
via collect-data, so no pipeline parameters need to be supplied at invocation time.

## Parameters

| Name | Description | Optional | Default value |
|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------|
| release | The namespaced name (namespace/name) of the Release | No | - |
| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - |
| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - |
| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - |
| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - |
| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty |
| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d |
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" |
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git |
| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline |
| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/arewm/slan-cuan.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | Yes | 509fb97bb20fd8c3c021c6965e6f000134d396e5 |
| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth |
| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false |
| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config |
| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com |
| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout> | Yes | repository |
| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan |
| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" |
| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso |
| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 |
| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |
| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |
Loading
Loading