Skip to content

fix: unblock buildah 0.10 arm64 builds and Konflux task digest bumps#838

Open
happybhati wants to merge 1 commit into
konflux-ci:mainfrom
happybhati:fix-buildah-010-arm64-cross-platform
Open

fix: unblock buildah 0.10 arm64 builds and Konflux task digest bumps#838
happybhati wants to merge 1 commit into
konflux-ci:mainfrom
happybhati:fix-buildah-010-arm64-cross-platform

Conversation

@happybhati

@happybhati happybhati commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Unblocks the MintMaker Konflux task digest bump (buildah-remote-oci-ta 0.9 → 0.10), which fails on arm64 without Dockerfile and pipeline fixes.

Vendor stages (cosign-rhel9, ec-rhel9, rhacs-roxctl-rhel8) are amd64-only; we use FROM --platform=linux/amd64 and ALLOW_CROSS_PLATFORM_IMAGES=true so both arches build.

Changes

  • Dockerfile: FROM --platform=linux/amd64 on vendor COPY stages; pin epel-release-10-8.el10_3 (noarch RPM URL) so amd64 and arm64 match for EC
  • Tekton: MintMaker task digest bumps; ALLOW_CROSS_PLATFORM_IMAGES on build-images; SAST tasks switched to *-oci-ta with SOURCE_ARTIFACT (Trusted Artifacts)

Why pin epel?

epel-release-latest-10 builds on both arches but EC fails with rpm_packages.unique_version (arm64 el10_3 vs amd64 el10_2). Verified in experiment #863: build passed, EC failed. Pinned noarch RPM fixes it.

Supersedes MintMaker #781 — close after merge.

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from ea10a6f to bc9ba8a Compare June 29, 2026 17:17
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from 2ac5e4d to f721727 Compare June 29, 2026 17:42
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from f721727 to 3d3cebd Compare June 29, 2026 18:07
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch 2 times, most recently from 6c4fd7c to 35e35cd Compare June 29, 2026 19:39
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from 35e35cd to 46de1d8 Compare June 29, 2026 19:53
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch 2 times, most recently from 3eeaeed to 3552223 Compare June 29, 2026 19:58
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch 3 times, most recently from 09833b7 to b5c1032 Compare June 30, 2026 12:02
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from b5c1032 to a45cdef Compare June 30, 2026 12:37
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch 5 times, most recently from 7868eaa to 171696e Compare June 30, 2026 13:34
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from 171696e to 10cfb95 Compare June 30, 2026 13:45
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from 10cfb95 to 8848a9e Compare June 30, 2026 14:43
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from 8848a9e to 3d03490 Compare June 30, 2026 18:28
@happybhati happybhati marked this pull request as ready for review June 30, 2026 18:33
@happybhati happybhati changed the title fix: enable cross-platform vendor stages for buildah 0.10 arm64 builds fix: unblock buildah 0.10 arm64 builds and Konflux task digest bumps Jun 30, 2026
@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Summary by Qodo

Enable cross-platform vendor stages for Buildah 0.10 arm64 builds

🐞 Bug fix ⚙️ Configuration changes 🕐 40+ Minutes

Grey Divider

AI Description

• Allow arm64 builds to consume amd64-only vendor stages by pinning platform in Dockerfile.
• Update Tekton pipelines to Buildah 0.10 and permit cross-platform base images.
• Switch SAST tasks to Trusted Artifacts (oci-ta) and wire SOURCE/CACHI2 artifacts.
Diagram

graph TD
  P(["Tekton pipeline"]) --> GC["git-clone-oci-ta"] --> PD["prefetch-dependencies-oci-ta"] --> B["buildah-remote-oci-ta (0.10)"] --> IDX["build-image-index"] --> SAST["SAST *-oci-ta tasks"]
  B --> DF["Dockerfile"] --> V{{"Vendor images (amd64-only)"}}
  PD -. "SOURCE_ARTIFACT/CACHI2" .-> SAST
  subgraph Legend
    direction LR
    _p(["Pipeline"]) ~~~ _t["Task"] ~~~ _e{{"External/Registry"}} ~~~ _f["Config/File"]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Publish multi-arch vendor images
  • ➕ Avoids cross-platform pulls/emulation edge cases
  • ➕ Keeps Dockerfile architecture-neutral
  • ➕ Reduces reliance on ALLOW_CROSS_PLATFORM_IMAGES escapes
  • ➖ Requires upstream/vendor changes and release coordination
  • ➖ Longer lead time than a pipeline/Dockerfile fix
2. Fetch vendor CLIs from official release artifacts
  • ➕ Removes dependency on amd64-only container images
  • ➕ Often easier to pin checksums/versions per tool
  • ➖ More bespoke install logic and verification in Dockerfile
  • ➖ May diverge from Red Hat supported distribution of tools
3. Build vendor tooling from source during image build
  • ➕ Fully reproducible and architecture-native outputs
  • ➕ No dependency on prebuilt vendor images
  • ➖ Significantly increases build time/complexity
  • ➖ Requires toolchains and extra maintenance

Recommendation: The chosen approach is the fastest, lowest-risk unblock for the Buildah 0.10 bump: force amd64 only where strictly necessary (vendor COPY stages) and explicitly allow cross-platform pulls in the build task. Consider a follow-up to move vendor images to multi-arch to remove the cross-platform escape hatch over time.

Files changed (3) +67 / -53

Bug fix (1) +5 / -5
DockerfileForce amd64 vendor stages; pin EPEL release; update UBI10 base +5/-5

Force amd64 vendor stages; pin EPEL release; update UBI10 base

• Pins vendor COPY stages (ec-rhel9, cosign-rhel9, rhacs-roxctl-rhel8) to linux/amd64 so arm64 builds can still copy required binaries. Updates the UBI10 base image digest/tag. Pins epel-release to a specific noarch RPM URL to keep EC RPM versioning consistent across architectures.

Dockerfile

Other (2) +62 / -48
release-service-utils-standalone-pull-request.yamlBump task bundles; allow cross-platform builds; move SAST to oci-ta +31/-24

Bump task bundles; allow cross-platform builds; move SAST to oci-ta

• Updates multiple Konflux task bundle digests, including buildah-remote-oci-ta 0.9 → 0.10. Adds ALLOW_CROSS_PLATFORM_IMAGES=true to the build task to tolerate amd64-only base/vendor images on arm64. Switches SAST tasks to *-oci-ta variants and passes SOURCE_ARTIFACT/CACHI2_ARTIFACT from prefetch-dependencies; also removes/empties some workspace wiring for those tasks.

.tekton/release-service-utils-standalone-pull-request.yaml

release-service-utils-standalone-push.yamlAlign push pipeline with cross-platform Buildah 0.10 + oci-ta SAST +31/-24

Align push pipeline with cross-platform Buildah 0.10 + oci-ta SAST

• Mirrors the pull-request pipeline updates: bumps task bundle digests and upgrades buildah-remote-oci-ta to 0.10. Enables ALLOW_CROSS_PLATFORM_IMAGES for the image build. Migrates SAST tasks to *-oci-ta variants and wires SOURCE_ARTIFACT/CACHI2_ARTIFACT inputs, with workspace definitions removed/emptied where no longer needed.

.tekton/release-service-utils-standalone-push.yaml

@qodo-app-for-konflux-ci

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 25 rules

Grey Divider


Action required

1. Arm64 roxctl is amd64 🐞 Bug ≡ Correctness
Description
The Dockerfile now forces the roxctl stage to linux/amd64, but the final image unconditionally
copies /usr/bin/roxctl from that stage. Since the Tekton PipelineRun builds a linux/arm64 image, the
arm64 image will embed an amd64 roxctl binary and roxctl execution will fail on arm64 hosts.
Code

Dockerfile[7]

+FROM --platform=linux/amd64 registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:4.10.4-1 as roxctl
Relevance

⭐⭐⭐ High

Repo previously fixed wrong-arch binary issues in Dockerfile for multi-arch (cosign) to avoid ARM
exec failures.

PR-#608
PR-#609
PR-#571

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The roxctl stage is explicitly pinned to amd64, and its binary is copied into the final image. The
pipeline builds an arm64 image, so that arm64 image will necessarily include an amd64 roxctl binary.

Dockerfile[7-7]
Dockerfile[78-78]
.tekton/release-service-utils-standalone-pull-request.yaml[119-123]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The final runtime image always copies `roxctl` from an amd64-only stage (`FROM --platform=linux/amd64 ... as roxctl`). This makes the `linux/arm64` image contain an amd64 `roxctl` binary.

## Issue Context
The pipeline builds multi-arch images (`linux/x86_64` and `linux/arm64`). With the new amd64-pinned vendor stage, the copied executable cannot match arm64.

## Fix approach (one of)
1. **Fetch roxctl for the target arch** during the final stage (similar to how `cosign3` is downloaded), using the same arch mapping already present in the Dockerfile.
2. **Stop shipping roxctl** in the runtime image (if not required), or split it into an amd64-only image.
3. If a multi-arch source exists, **switch the roxctl stage to a multi-arch image** (remove `--platform=linux/amd64`) and rely on correct platform resolution.

## Fix Focus Areas
- Dockerfile[7-7]
- Dockerfile[78-78]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread Dockerfile

@seanconroy2021 seanconroy2021 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@happybhati happybhati added this pull request to the merge queue Jul 1, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 1, 2026
@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from 3d03490 to 3f8aadb Compare July 1, 2026 18:04
Add FROM --platform=linux/amd64 on vendor COPY stages and set
ALLOW_CROSS_PLATFORM_IMAGES=true on build-images to tolerate amd64-only
vendor images on arm64. Pin epel-release-10-8.el10_3 via a fixed noarch
RPM URL for EC unique_version across arches. Switch SAST tasks to
oci-ta variants with SOURCE_ARTIFACT for Trusted Artifacts pipelines.
Bump UBI10 base and align Konflux task digests.

Assisted-By: Cursor
Signed-off-by: Happy Bhati <hbhati@redhat.com>
@happybhati happybhati force-pushed the fix-buildah-010-arm64-cross-platform branch from 3f8aadb to fd7e1ba Compare July 1, 2026 18:06
@happybhati happybhati enabled auto-merge July 1, 2026 18:07
@happybhati

Copy link
Copy Markdown
Contributor Author

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants