Skip to content

Add embargo-check task to push-disk-images-to-cdn pipeline#2342

Open
jangel97 wants to merge 1 commit into
konflux-ci:developmentfrom
jangel97:add-embargo-check-push-disk-images
Open

Add embargo-check task to push-disk-images-to-cdn pipeline#2342
jangel97 wants to merge 1 commit into
konflux-ci:developmentfrom
jangel97:add-embargo-check-push-disk-images

Conversation

@jangel97

Copy link
Copy Markdown
Contributor

Summary

  • Add the embargo-check task to the push-disk-images-to-cdn pipeline, matching what rh-advisories already has
  • Without this check, releases with embargoed CVEs in the release notes can be pushed to CDN without being caught
  • The task runs after check-data-keys and before push-disk-images, gating artifact distribution on CVE embargo validation

Changes

  • Added jiraAdvisorySecret extraction to collect-task-params
  • Added embargo-check task between check-data-keys and push-disk-images
  • Updated push-disk-images to chain sourceDataArtifact from embargo-check

Signed-off-by: Jose Angel Morena jmorenas@redhat.com

@jangel97

Copy link
Copy Markdown
Contributor Author

While working on this, I noticed that calunga-push-to-pulp also calls create-advisory but doesn't have an embargo-check task. Should we add it there too? Maybe somewhere else?

@swickersh

Copy link
Copy Markdown
Contributor

Thanks for submitting a fix for this!
The embargo check task needs to read data generated by populate-release-notes task:

What populate-release-notes actually does for disk-images:

It runs the populate-release-notes-artifacts step, which:

Takes .releaseNotes.cves from the Release object + snapshot component structure
Populates .releaseNotes.content.artifacts[] with per-component entries that include linked CVEs
What embargo-check actually does without that populated data:

check-issues step — reads .releaseNotes.issues.fixed directly. This data comes from the Release object itself (via collect-data), not from populate-release-notes. So Jira issue visibility/embargo checking still works fine.
check-cves step — reads CVEs from .releaseNotes.content.artifacts. Without populate-release-notes, that field doesn't exist, so CVES="" → it logs "No CVEs found to check" and exits 0 silently. The InternalRequest to check-embargoed-cves is never made.
Cross-reference check (inside check-issues) — verifies a Jira Vulnerability's CVE ID appears in content.artifacts Without the populated artifacts, it hits line 239 ("No content found...") and continues rather than failing.

@swickersh

Copy link
Copy Markdown
Contributor

While working on this, I noticed that calunga-push-to-pulp also calls create-advisory but doesn't have an embargo-check task. Should we add it there too? Maybe somewhere else?

I don't think it's a bad idea to have for all pipelines unless I'm overlooking something. @johnbieren wdyt?

@jangel97 I wouldn't expect you to do it everywhere unless you just want to. We certainly appreciate the contribution!

@johnbieren

Copy link
Copy Markdown
Collaborator

While working on this, I noticed that calunga-push-to-pulp also calls create-advisory but doesn't have an embargo-check task. Should we add it there too? Maybe somewhere else?

I don't think it's a bad idea to have for all pipelines unless I'm overlooking something. @johnbieren wdyt?

@jangel97 I wouldn't expect you to do it everywhere unless you just want to. We certainly appreciate the contribution!

Any pipeline that creates an advisory should likely have the embargo-check task. I am not sure if it hurts to have embargo-check in all pipelines, but we'd have to look into it

Disk image releases were missing the embargo check that rh-advisories
already has, allowing releases with embargoed CVEs in the release notes
to be pushed to CDN without being caught.

Signed-off-by: Jose Angel Morena <jmorenas@redhat.com>
@jangel97 jangel97 force-pushed the add-embargo-check-push-disk-images branch from 939ba14 to 6839367 Compare July 3, 2026 12:32
@jangel97

jangel97 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@swickersh
I added populate-release-notes before embargo-check so that .releaseNotes.content.artifacts is
populated before the CVE embargo check runs.

The chain is now check-data-keyspopulate-release-notesembargo-checkpush-disk-images. Matching how rh-advisories does it.

Please, let me know if anything else would be needed and thank you for the review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants