Skip to content

Merge RHDS main to ODH main #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
hbelmiro wants to merge 49 commits into from
Closed

Merge RHDS main to ODH main #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
d7558b5
sync pipelineruns with konflux-central - be73b6e
rhods-devops-app[bot] Apr 16, 2026
80c9639
add Dockerfile.konflux.*
wznoinsk Apr 16, 2026
75daf22
Merge pull request #2 from red-hat-data-services/wznoinsk_main_add_do…
wznoinsk Apr 16, 2026
19f2b50
sync config with renovate-central
rhods-devops-app[bot] Apr 16, 2026
20ebbdb
regenerate autox pipeline yaml files
Mateusz-Switala Apr 16, 2026
1199fea
Merge pull request #4 from Mateusz-Switala/autox_add_missing_compiled…
LukaszCmielowski Apr 16, 2026
31d92bf
sync pipelineruns with konflux-central - de50bdb
rhods-devops-app[bot] Apr 16, 2026
281b471
Merge remote-tracking branch 'upstream/main'
moulalis Apr 17, 2026
5f2d950
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] Apr 21, 2026
d3100c5
Merge remote-tracking branch 'upstream/main'
moulalis Apr 21, 2026
c8f2fe6
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] Apr 21, 2026
8620c8f
chore(deps): update registry.redhat.io/rhai/base-image-cpu-rhel9 dock…
konflux-internal-p02[bot] Apr 21, 2026
83253f9
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] Apr 22, 2026
81dfb51
Merge remote-tracking branch 'upstream/main'
moulalis Apr 22, 2026
2a54f43
Merge remote-tracking branch 'upstream/main'
dryszka Apr 22, 2026
589c687
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] Apr 23, 2026
94d5517
Merge remote-tracking branch 'upstream/main'
moulalis Apr 27, 2026
79eaeec
Merge remote-tracking branch 'upstream/main'
jstetina Apr 28, 2026
d00e9ef
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] Apr 28, 2026
ddeed22
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] Apr 29, 2026
6bfe67b
sync pipelineruns with konflux-central - d678d58
rhods-devops-app[bot] May 1, 2026
86ac343
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] May 4, 2026
3cc30ab
image digest updated for AutoML pipelines
filip-komarzyniec Apr 21, 2026
c627efe
chore: update AutoML pipeline.yaml files with latest images
dryszka Apr 22, 2026
1181ae6
image digest updated for AutoRAG pipeline
filip-komarzyniec Apr 21, 2026
802697d
Merge remote-tracking branch 'upstream/main'
moulalis May 4, 2026
6956f86
Merge pull request #28 from Mateusz-Switala/cherry-pick-autox-pipelin…
LukaszCmielowski May 5, 2026
558619c
Merge remote-tracking branch 'upstream/main'
moulalis May 5, 2026
73f2b43
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] May 5, 2026
6e05490
Merge remote-tracking branch 'upstream/main'
moulalis May 6, 2026
2f08dc4
Merge remote-tracking branch 'upstream/main'
moulalis May 7, 2026
83d7377
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] May 7, 2026
27245a8
implementing suggestions in https://redhat.atlassian.net/browse/RHOAI…
nsingla Apr 29, 2026
f4f5d93
adding hashes to requirements.txt file
nsingla May 8, 2026
a9eb51b
Merge remote-tracking branch 'upstream/main'
moulalis May 8, 2026
2a00881
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] May 11, 2026
fd90367
Merge remote-tracking branch 'upstream/main'
moulalis May 11, 2026
6066fc5
chore(automl): Updated compiled pipelines with 3.5 EA1 changes. (#46)
DorotaDR May 12, 2026
ce53cb2
(chore): recompiled autorag pipeline so that recent bug fixes are inc…
filip-komarzyniec May 12, 2026
891cb41
chore(deps): update registry.redhat.io/ubi9/python-311 docker digest …
konflux-internal-p02[bot] May 13, 2026
067710c
Merge branch 'main' into 59984-main
dryszka May 13, 2026
048a104
sync pipelineruns with konflux-central - efd8b3b
rhods-devops-app[bot] May 13, 2026
47cd318
Merge pull request #42 from nsingla/59984-main
dryszka May 14, 2026
6453385
Merge remote-tracking branch 'upstream/main'
DorotaDR May 14, 2026
a6a56a5
Merge remote-tracking branch 'upstream/main'
DorotaDR May 14, 2026
606c428
chore(autorag): Updated pipeline.yaml for AutoRAG (#50)
DorotaDR May 14, 2026
8542090
Merge remote-tracking branch 'upstream/main'
moulalis May 14, 2026
19f638a
Merge remote-tracking branch 'red-hat-data-services/main' into merge-…
hbelmiro May 15, 2026
47dc4d9
chore: Update `requirements.txt` with regenerated dependencies and up…
hbelmiro May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"github>red-hat-data-services/konflux-central//renovate/default-renovate.json5"
]
}
6 changes: 3 additions & 3 deletions .tekton/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
# ⚠️ Do Not Modify Files in the `.tekton/` Directory Directly

The `.tekton/` directory in each component repository is **automatically synchronized** from [`konflux-central`](https://github.com/opendatahub-io/odh-konflux-central) using automation. Any edits made directly to Tekton files in the component repositories will be **overwritten** by the next sync.
The `.tekton/` directory in each component repository is **automatically synchronized** from [`konflux-central`](https://github.com/red-hat-data-services/konflux-central) using automation. Any edits made directly to Tekton files in the component repositories will be **overwritten** by the next sync.

All Tekton file updates **must be made in the `konflux-central` repository**.

## ✅ How to Make Changes

To modify the pipelines for `pipelines-components` in the `main` branch:

- Clone the [`konflux-central`](https://github.com/opendatahub-io/odh-konflux-central) repository.
- Clone the [`konflux-central`](https://github.com/red-hat-data-services/konflux-central) repository.

```bash
git clone git@github.com:opendatahub-io/odh-konflux-central.git
git clone git@github.com:red-hat-data-services/konflux-central.git
cd konflux-central
Comment on lines +14 to 15
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Replace direct-to-main instructions with PR-based flow.

Current instructions tell contributors to push straight to main, which weakens change control and can bypass required reviews/checks if branch protection is permissive. This is a supply-chain/process security risk (CWE-285: Improper Authorization at workflow level).

Suggested doc fix 
-git checkout main
+git checkout -b <your-branch-name>

 ...

-git push origin main
+git push origin <your-branch-name>

Add a final step instructing users to open a PR against main in red-hat-data-services/konflux-central.

As per coding guidelines, "REVIEW PRIORITIES: 1. Security vulnerabilities ... 2. Architectural issues and anti-patterns".

Also applies to: 35-37

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/README.md around lines 14 - 15, The README currently instructs
contributors to push directly to main (see the commands "git clone
git@github.com:red-hat-data-services/konflux-central.git" and "cd
konflux-central" and the later push-to-main steps); change the workflow to a
PR-based flow by instructing contributors to create a feature branch, push that
branch to their fork (e.g., git checkout -b my-feature; git push origin
my-feature), and then open a Pull Request against main in
red-hat-data-services/konflux-central instead of pushing directly to main; apply
the same update to the later occurrence of the push-to-main instructions (lines
referenced in the comment).

```

Expand Down
83 changes: 83 additions & 0 deletions .tekton/odh-automl-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/repo: https://github.com/red-hat-data-services/pipelines-components?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
build.appstudio.redhat.com/pull_request_number: "{{pull_request_number}}"
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-comment: "^/build-konflux-automl"
pipelinesascode.tekton.dev/on-label: "[kfbuild-all, kfbuild-automl]"
pipelinesascode.tekton.dev/on-target-branch: "[{{target_branch}}]"
pipelinesascode.tekton.dev/on-event: "[pull_request]"
pipelinesascode.tekton.dev/cancel-in-progress: "true"
labels:
appstudio.openshift.io/application: automation
appstudio.openshift.io/component: pull-request-pipelines-odh-automl
pipelines.appstudio.openshift.io/type: build
name: odh-automl-on-pull-request
namespace: rhoai-tenant
spec:
timeouts:
pipeline: 8h
params:
- name: git-url
value: '{{source_url}}'
- name: revision
value: '{{revision}}'
- name: additional-tags
value:
- 'pr-{{pull_request_number}}-into-{{target_branch}}'
- name: additional-labels
value:
- version=on-pr-{{revision}}
- io.openshift.tags=odh-automl
- name: output-image
value: quay.io/rhoai/pull-request-pipelines:odh-automl-{{revision}}
- name: build-platforms
value:
- linux/x86_64
- linux/ppc64le
- linux/s390x
- linux-m2xlarge/arm64
- name: image-expires-after
value: 5d
- name: dockerfile
value: Dockerfile.konflux.automl
- name: path-context
value: .
- name: hermetic
value: true
- name: prefetch-input
value:
[
{
"type": "pip",
"path": "pipelines/training/automl",
"requirements_files": [
"autogluon_tabular_training_pipeline/requirements.txt"
],
"binary": {"arch": ":all:"}
}
]
- name: build-image-index
value: true
- name: enable-slack-failure-notification
value: "false"
pipelineRef:
resolver: git
params:
- name: url
value: https://github.com/red-hat-data-services/konflux-central.git
- name: revision
value: '{{ target_branch }}'
- name: pathInRepo
value: pipelines/multi-arch-container-build.yaml
taskRunTemplate:
serviceAccountName: build-pipeline-pull-request-pipelines
workspaces:
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
status: {}
96 changes: 96 additions & 0 deletions .tekton/odh-autorag-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/repo: https://github.com/red-hat-data-services/pipelines-components?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
build.appstudio.redhat.com/pull_request_number: "{{pull_request_number}}"
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-comment: "^/build-konflux-autorag"
pipelinesascode.tekton.dev/on-event: "[pull_request]"
pipelinesascode.tekton.dev/cancel-in-progress: "true"
labels:
appstudio.openshift.io/application: automation
appstudio.openshift.io/component: pull-request-pipelines-odh-autorag
pipelines.appstudio.openshift.io/type: build
name: odh-autorag-on-pull-request
namespace: rhoai-tenant
spec:
timeouts:
pipeline: 8h
params:
- name: git-url
value: '{{source_url}}'
- name: revision
value: '{{revision}}'
- name: additional-tags
value:
- 'pr-{{pull_request_number}}-into-{{target_branch}}'
- name: additional-labels
value:
- version=on-pr-{{revision}}
- io.openshift.tags=odh-autorag
- name: output-image
value: quay.io/rhoai/pull-request-pipelines:odh-autorag-{{revision}}
- name: build-platforms
value:
- linux/x86_64
- linux/ppc64le
- linux/s390x
- linux-m2xlarge/arm64
- name: image-expires-after
value: 5d
- name: dockerfile
value: Dockerfile.konflux.autorag
- name: path-context
value: .
- name: hermetic
value: true
- name: prefetch-input
value:
[
{
"type": "pip",
"path": "pipelines/training/autorag",
"requirements_files": [
"documents_rag_optimization_pipeline/requirements.txt",
"documents_rag_optimization_pipeline/requirements-pypi-whl.txt"
],
"binary": {"arch": ":all:"}
},
{
"type": "pip",
"path": "pipelines/training/autorag/documents_rag_optimization_pipeline",
"requirements_files": [
"requirements-pypi.txt"
]
},
{
"type": "generic",
"path": "pipelines/training/autorag/documents_rag_optimization_pipeline",
"lockfile": "artifacts.lock.yaml"
}
]
- name: prefetch-log-level
value: "debug"
Comment on lines +75 to +76
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Debug logging may leak sensitive information.

Setting prefetch-log-level: "debug" enables verbose logging that may expose internal URLs, authentication tokens, proprietary package names, or build secrets in CI logs. If this is for troubleshooting, it should be removed before production use.

Remove or set to "info" unless debug logging is explicitly required and CI logs are properly secured.

🔒 Proposed fix 
-  - name: prefetch-log-level
-    value: "debug"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: prefetch-log-level
value: "debug"
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/odh-autorag-on-pull-request.yaml around lines 75 - 76, The CI step
currently sets prefetch-log-level to "debug", which can leak sensitive data in
logs; update the configuration by either removing the prefetch-log-level entry
or changing its value from "debug" to "info" (or a less verbose level) in the
YAML so that the key prefetch-log-level no longer enables debug logging in the
pipeline.

- name: build-image-index
value: true
- name: enable-slack-failure-notification
value: "false"
pipelineRef:
resolver: git
params:
- name: url
value: https://github.com/red-hat-data-services/konflux-central.git
- name: revision
value: '{{ target_branch }}'
- name: pathInRepo
value: pipelines/multi-arch-container-build.yaml
taskRunTemplate:
serviceAccountName: build-pipeline-pull-request-pipelines
workspaces:
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
status: {}
76 changes: 76 additions & 0 deletions .tekton/odh-pipelines-components-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/repo: https://github.com/red-hat-data-services/pipelines-components?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
build.appstudio.redhat.com/pull_request_number: "{{pull_request_number}}"
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-comment: "^/build-konflux odh-pipelines-components"
pipelinesascode.tekton.dev/cancel-in-progress: "true"
labels:
appstudio.openshift.io/application: automation
appstudio.openshift.io/component: pull-request-pipelines-odh-pipelines-components
pipelines.appstudio.openshift.io/type: build
name: odh-pipelines-components-on-pull-request-{{pull_request_number}}
namespace: rhoai-tenant
spec:
params:
- name: git-url
value: '{{source_url}}'
- name: revision
value: '{{revision}}'
- name: additional-tags
value:
- 'pr-{{pull_request_number}}-into-{{target_branch}}'
- name: additional-labels
value:
- version=on-pr-{{revision}}
- io.openshift.tags=odh-pipelines-components
- name: output-image
value: quay.io/rhoai/pull-request-pipelines:odh-pipelines-components-{{revision}}
- name: dockerfile
value: Dockerfile.konflux.pipelines-components
- name: path-context
value: .
- name: hermetic
value: 'true'
- name: prefetch-input
value: >-
{"type": "pip", "path": ".",
"requirements_files": ["requirements.txt"],
"requirements_build_files": ["requirements-build.txt"],
"binary": {"arch": ":all:"}}

- name: build-source-image
value: true
- name: build-image-index
value: true
- name: build-platforms
value:
- linux/x86_64
- linux-m2xlarge/arm64
- linux/ppc64le
- linux/s390x
- name: image-expires-after
value: 5d
- name: enable-slack-failure-notification
value: "false"
pipelineRef:
resolver: git
params:
- name: url
value: https://github.com/red-hat-data-services/konflux-central.git
- name: revision
value: '{{ target_branch }}'
- name: pathInRepo
value: pipelines/multi-arch-container-build.yaml
taskRunTemplate:
serviceAccountName: build-pipeline-pull-request-pipelines
workspaces:
- name: git-auth
secret:
secretName: '{{git_auth_secret}}'
status: {}
2 changes: 2 additions & 0 deletions .yamllint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
extends: default
ignore: |
.tekton/
# KFP-compiled pipeline IR; indentation/line-length do not match hand-written YAML rules.
pipelines/**/pipeline.yaml
rules:
line-length:
max: 120
Expand Down
21 changes: 21 additions & 0 deletions Dockerfile.konflux.automl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
ARG BASE_IMAGE="registry.redhat.io/rhai/base-image-cpu-rhel9@sha256:e42e1d0b52b4f2d2906b302f75987d353248279fa69eead69f907f6fff8d708c"

FROM ${BASE_IMAGE}

COPY pipelines/training/automl/autogluon_tabular_training_pipeline/requirements.txt \
pipelines/training/automl/autogluon_tabular_training_pipeline/requirements-pypi.txt \
/tmp/

## Ensure build isolation
RUN pip install --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/ --no-cache-dir -r /tmp/requirements.txt
RUN pip install --index-url https://pypi.org/simple --no-cache-dir -r /tmp/requirements-pypi.txt
Comment on lines +10 to +11
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Potential dependency conflict from sequential index installs.

Installing from two different package indexes sequentially (RHAI then PyPI) can cause dependency resolution conflicts if the same package exists in both indexes with different versions. The second install may override packages from the first, breaking the "build isolation" mentioned in line 9.

Consider consolidating requirements or using pip install with --no-deps for the second index if packages are truly isolated, or use a single requirements file with explicit --index-url per package.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.konflux.automl` around lines 10 - 11, The two RUN pip install
lines install packages from different indexes sequentially (the first RUN using
/tmp/requirements.txt with the RHAI index and the second RUN using
/tmp/requirements-pypi.txt with PyPI) which can lead to dependency version
conflicts because the second installation can override packages from the first;
to fix, consolidate dependency installation so pip resolves both sources
together (e.g., merge into a single requirements file or use a single pip
invocation that specifies package-specific --index-url entries), or if packages
are truly isolated, install the second set with --no-deps to prevent overriding
transitive dependencies—update the RUN pip install commands and the
/tmp/requirements*.txt files accordingly to ensure deterministic resolution.


LABEL com.redhat.component="odh-automl-container" \
name="managed-open-data-hub/odh-automl-rhel9" \
description="odh-automl" \
summary="odh-automl" \
maintainer="['managed-open-data-hub@redhat.com']" \
io.openshift.expose-services="" \
io.k8s.display-name="odh-automl" \
io.k8s.description="odh-automl" \
com.redhat.license_terms="https://www.redhat.com/licenses/Red_Hat_Standard_EULA_20191108.pdf"
48 changes: 48 additions & 0 deletions Dockerfile.konflux.autorag
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# This container is used to run the AutoRAG components of the training pipeline.

#ARG BASE_IMAGE="quay.io/aipcc/base-images/cpu:3.3"
ARG BASE_IMAGE="registry.redhat.io/rhai/base-image-cpu-rhel9@sha256:e42e1d0b52b4f2d2906b302f75987d353248279fa69eead69f907f6fff8d708c"
FROM ${BASE_IMAGE}

COPY pipelines/training/autorag/documents_rag_optimization_pipeline/requirements.txt \
pipelines/training/autorag/documents_rag_optimization_pipeline/requirements-pypi.txt \
pipelines/training/autorag/documents_rag_optimization_pipeline/requirements-pypi-whl.txt \
/tmp/

COPY pipelines/training/autorag/documents_rag_optimization_pipeline/seed_docling_models.py \
pipelines/training/autorag/documents_rag_optimization_pipeline/artifacts.lock.yaml \
pipelines/training/autorag/documents_rag_optimization_pipeline/install_sqlite_from_source.sh \
/tmp/

# Build SQLite from sqlite-autoconf (Hermeto generic prefetch or download); replace system libsqlite3.
# https://github.com/hermetoproject/hermeto/blob/main/docs/generic.md
ARG HERMETO_GENERIC_DEPS=/cachi2/output/deps/generic

# Build SQLite from sqlite-autoconf (Hermeto generic prefetch or download); replace system libsqlite3.
USER root
RUN HERMETO_GENERIC_DEPS="${HERMETO_GENERIC_DEPS}" bash /tmp/install_sqlite_from_source.sh
Comment on lines +22 to +23
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Arbitrary script execution as root (CWE-250).

Switching to USER root to execute /tmp/install_sqlite_from_source.sh grants unnecessary privileges. If the script or any dependency it downloads is compromised, the entire build environment and potentially the base image layers can be compromised. This violates the principle of least privilege.

Refactor to:

  1. Build SQLite in a separate builder stage as non-root, or
  2. Pre-build SQLite and package it in the base image, or
  3. If root is absolutely required, audit and minimize the script's surface area and consider cryptographic verification of downloaded artifacts.

As per coding guidelines, Dockerfiles should run as non-root user.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.konflux.autorag` around lines 22 - 23, The Dockerfile switches to
USER root to run /tmp/install_sqlite_from_source.sh with HERMETO_GENERIC_DEPS
which grants excessive privileges; refactor by moving the SQLite build into a
separate multi-stage builder image run as a non-root user (or pre-build and
include SQLite in the base image) so the install script is never executed as
root in the final image, and if running as root cannot be avoided, minimize and
audit /tmp/install_sqlite_from_source.sh and add cryptographic verification of
any downloaded artifacts before executing them.

USER default

## TODO: Ensure build isolation
RUN pip install --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple/ --no-cache-dir -r /tmp/requirements.txt
RUN pip install --index-url https://pypi.org/simple --no-cache-dir -r /tmp/requirements-pypi.txt
RUN pip install --index-url https://pypi.org/simple --no-cache-dir -r /tmp/requirements-pypi-whl.txt
Comment on lines +26 to +29
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Three sequential pip installs risk dependency conflicts.

Installing from three different package indexes sequentially (RHAI → PyPI → PyPI wheel) increases the risk of version conflicts and dependency resolution failures. The TODO comment on line 26 acknowledges that build isolation is not ensured.

Consolidate into a single requirements file with explicit source annotations, or use a lock file (e.g., pip-compile output) that resolves all dependencies together.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.konflux.autorag` around lines 26 - 29, The three sequential pip
install lines (the RUN pip install ... for /tmp/requirements.txt,
/tmp/requirements-pypi.txt, and /tmp/requirements-pypi-whl.txt) can cause
dependency resolution conflicts; consolidate dependency resolution into a single
install step by producing one locked requirements file (e.g., via pip-compile or
pip-tools) that resolves versions across all sources and/or annotates sources
with --extra-index-url or direct PEP 508 URLs, then replace the three RUN pip
install lines with a single RUN pip install --no-cache-dir -r
/tmp/requirements-locked.txt so all packages are resolved together and build
isolation is ensured.


# Docling models for offline text extraction. Hermeto: prefetch with generic lockfile (see /tmp/artifacts.lock.yaml)
# and mount output at ${HERMETO_GENERIC_DEPS}; https://github.com/hermetoproject/hermeto/blob/main/docs/generic.md
ENV DOCLING_ARTIFACTS_PATH=/opt/app-root/docling-artifacts/models
RUN if [ -d "${HERMETO_GENERIC_DEPS}" ] && [ -n "$(ls -A "${HERMETO_GENERIC_DEPS}" 2>/dev/null)" ]; then \
python3 /tmp/seed_docling_models.py --dest /opt/app-root/docling-artifacts/models --hermeto-dir "${HERMETO_GENERIC_DEPS}"; \
else \
python3 /tmp/seed_docling_models.py --dest /opt/app-root/docling-artifacts/models --download; \
fi

LABEL com.redhat.component="odh-autorag-container" \
name="managed-open-data-hub/odh-autorag-rhel9" \
description="odh-autorag" \
summary="odh-autorag" \
maintainer="['managed-open-data-hub@redhat.com']" \
io.openshift.expose-services="" \
io.k8s.display-name="odh-autorag" \
io.k8s.description="odh-autorag" \
com.redhat.license_terms="https://www.redhat.com/licenses/Red_Hat_Standard_EULA_20191108.pdf"
Loading
Loading