Skip to content

feat(PVSEC-12961): add rh-model-signing to image#670

Draft
jrepucci-rh wants to merge 4 commits into
konflux-ci:mainfrom
jrepucci-rh:main
Draft

feat(PVSEC-12961): add rh-model-signing to image#670
jrepucci-rh wants to merge 4 commits into
konflux-ci:mainfrom
jrepucci-rh:main

Conversation

@jrepucci-rh

@jrepucci-rh jrepucci-rh commented Mar 2, 2026

Copy link
Copy Markdown

I am currently creating a Konflux task for AI model signing in the release-service-catalog repo. The preferred way to do this is with the new Red Hat model-signing tool, which I propose we add to this image.

JIRA link: PVSEC-12961

@snyk-io

snyk-io Bot commented Mar 2, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@swickersh

Copy link
Copy Markdown
Contributor

@jrepucci-rh Can you please reference a Jira with this so we can understand more about the background of this change and the proposed catalog task that will use that package?

@jrepucci-rh

Copy link
Copy Markdown
Author

@swickersh yes absolutely, just added the Jira link to my original request. You'll find more background about the project in the epic the ticket is attached to.

@querti

querti commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

Could you please change the first commit line to follow conventional commits specification? Similar to: #654

@jrepucci-rh jrepucci-rh changed the title Add the rh-model-signing tool to release-service-utils image feat(PVSEC-12961): add rh-model-signing to image Mar 3, 2026
@jrepucci-rh

Copy link
Copy Markdown
Author

@querti done. Also went ahead and squashed my commits down to one commit

@swickersh swickersh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the model-signing package is in the approved feature refinement doc. So this LGTM other than resolving the failing check.

We currently require several approvals up the chain before PRs are merged into main. So I'd expect at least a few days before this will get merged.

@swickersh

Copy link
Copy Markdown
Contributor

/retest

@jrepucci-rh

Copy link
Copy Markdown
Author

According to the failed test, we needed the container to run on Python 3.10 rather than 3.9. However, I realize that may be a bigger change than just downloading a single package

@swickersh

Copy link
Copy Markdown
Contributor

According to the failed test, we needed the container to run on Python 3.10 rather than 3.9. However, I realize that may be a bigger change than just downloading a single package

Please rebase. Python is already set to 3.10 in main

@swickersh

Copy link
Copy Markdown
Contributor

/retest

@jrepucci-rh

Copy link
Copy Markdown
Author

Hm, the error message is still saying Python is in version 3.9

@jrepucci-rh

Copy link
Copy Markdown
Author

Did some digging in logs for a successful pipeline in the main repo. Looks like in the build job, Python is still being installed as a 3.9 version when running the dnf install step. So when we get to pyproject.toml it winds up using the 3.9 environment instead of the specified 3.10 version.

@swickersh

Copy link
Copy Markdown
Contributor

Hi @jrepucci-rh python 3.10 isn't available on UBI9. We have a Jira now to upgrade to UBI10 which will in turn use python3.12 for the container image.

Unfortunately, you'll be blocked on this PR until we upgrade. Jira: https://issues.redhat.com/browse/RELEASE-2291

@jrepucci-rh

Copy link
Copy Markdown
Author

Thank you for the heads up! I'll keep an eye on that ticket

@swickersh swickersh marked this pull request as draft March 4, 2026 17:45
@midnightercz

Copy link
Copy Markdown
Contributor

Btw, just question. How much is rh-model-signing just wrapper for cosign cli? Because from the documentation it looks like it's exactly just it. I guess I understand there are probably some complex use cases which you can support by running single python command and bash equivalent of those would be complicated if you want to run them in tekton tasks directly. But new dependency add more complexity to dependency management and eventually makes it dependency hell. So I'm wondering if it would be better to have these use cases covered by small script directly hosted here. Or do you use the tool also elsewhere?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants