Skip to content

Pin the osbuild-composer commit for testing #535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
achilleas-k wants to merge 6 commits into
base: main
Choose a base branch
from
+183 −99
Open

Pin the osbuild-composer commit for testing #535

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
66ab4c5
Schutzfile: add pinned osbuild-composer commit
achilleas-k Mar 17, 2026
8103110
schutzbot/deploy: codestyle: clean trailing whitespace
achilleas-k Mar 17, 2026
0795734
schutzbot/deploy: setup repo from pinned osbuild-composer commit
achilleas-k Mar 17, 2026
1d69e86
schutzbot: new script for updating composer commit
achilleas-k Mar 18, 2026
47fd79d
github: workflow for updating osbuild-composer commit
achilleas-k Mar 18, 2026
537d0aa
schutzbot/deploy: remove unused function get_last_passed_commit()
achilleas-k Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .github/workflows/update-composer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# This action updates the osbuild-composer ref in the Schutzfile
---
name: "Update osbuild-composer commit ID"

on: # yamllint disable-line rule:truthy
workflow_dispatch: # support manual dispatch
schedule:
# Every Sunday at 12:00
- cron: "0 12 * * 0"

jobs:
update-and-push:
runs-on: ubuntu-24.04
env:
GH_TOKEN: ${{ secrets.SCHUTZBOT_GITHUB_ACCESS_TOKEN }}
steps:
- name: Clone
# This workflow can be started from a branch, but we always want to
# work on main to update the osbuild-composer ref.
# WARNING: This means the update-schutzfile-script below will always be
# run from the main branch.
run: |
git clone --depth=1 --branch main https://github.com/$GITHUB_REPOSITORY ./src

- name: User config
working-directory: ./src
run: |
git config user.name "schutzbot"
git config user.email "schutzbot@gmail.com"

- name: Update Schutzfile
working-directory: ./src
# script also creates github_pr_body.txt
run: |
./schutzbot/update-schutzfile-composer

- name: Open PR
working-directory: ./src
run: |
if git diff --exit-code; then echo "No changes"; exit 0; fi
branch="schutzfile-composer-$(date -I)"
git checkout -b "${branch}"
git add Schutzfile
git commit -m "schutzfile: Update osbuild-composer dependency commit ID"
remote="https://oauth2:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}"
git push -f "${remote}" "${branch}"
gh pr create \
--title "Update osbuild-composer dependency commit ID" \
--body-file "github_pr_body.txt" \
--base "main" \
--head "${branch}"
57 changes: 57 additions & 0 deletions Schutzfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
{
"fedora-42": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
Expand Down Expand Up @@ -44,69 +47,99 @@
},
"rhel-8.4": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-8.8": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-8.9": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-8.10": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-9.2": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-9.3": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-9.4": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-9.5": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-9.6": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-9.7": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
Expand Down Expand Up @@ -153,6 +186,9 @@
},
"rhel-9.8": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
Expand Down Expand Up @@ -199,20 +235,29 @@
},
"rhel-10.0": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-10.1": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"rhel-10.2": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
Expand Down Expand Up @@ -259,13 +304,19 @@
},
"centos-9": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"centos-stream-9": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
Expand Down Expand Up @@ -312,13 +363,19 @@
},
"centos-10": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
}
},
"centos-stream-10": {
"dependencies": {
"composer": {
"commit": "73e71e29381cd96fe4666091714d0b8c90a62805"
},
"osbuild": {
"commit": "8d2a28c5b984667d29aaeca101b5a2b1d72605e6"
}
Expand Down
102 changes: 3 additions & 99 deletions schutzbot/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,101 +56,6 @@ priority=${priority}
EOF
}

function get_last_passed_commit {
# Using 'internal' instead of 'true' so it's easier to see the pipelines in the Gitlab page
if [ "${INTERNAL_NIGHTLY:=false}" == "internal" ]; then
project_id="34771166"

# To get the schedule id use the ../pipeline_schedule endpoint
if [[ ${VERSION_ID%.*} == "9" ]]; then
# RHEL 9 scheduled pipeline id
schedule_id="233736"
elif [[ ${VERSION_ID%.*} == "10" ]]; then
# RHEL 10 scheduled pipeline id (FYI - it was used for RHEL 8 before)
schedule_id="233735"
else
echo "No scheduled pipeline defined for RHEL $VERSION_ID"
exit 1
fi

# Last executed pipeline ID
schedule_info=$(curl -s --header "PRIVATE-TOKEN: ${GITLAB_API_TOKEN}" "https://gitlab.com/api/v4/projects/${project_id}/pipeline_schedules/${schedule_id}")

# Check if API returned an error (like 401 Unauthorized)
if echo "$schedule_info" | jq -e '.message' >/dev/null; then
echo "GitLab API Error: $(echo "$schedule_info" | jq -r .message)"
exit 1
fi

pipeline_id=$(echo "$schedule_info" | jq -r '.last_pipeline.id // empty')

# Ensure pipeline_id is not null or empty before proceeding
if [[ -z "$pipeline_id" || "$pipeline_id" == "null" ]]; then
echo "Error: Could not find the last pipeline ID for schedule ${schedule_id}."
exit 1
fi

number_of_days=7
warning_date=$(date -d "- $number_of_days days" +%s)

pipeline_info=$(curl -s --header "PRIVATE-TOKEN: ${GITLAB_API_TOKEN}" "https://gitlab.com/api/v4/projects/${project_id}/pipelines/${pipeline_id}")
created_at=$(echo "$pipeline_info" | jq -r '.started_at // empty')

if [[ -z "$created_at" || "$created_at" == "null" ]]; then
echo "Error: Could not determine start time for pipeline ${pipeline_id}."
exit 1
fi

if [[ $(date -d "${created_at}" +%s) -lt "${warning_date}" ]]; then
echo "We are using an old scheduled pipeline id (more than $number_of_days days ago). Please update it"
exit 1
fi

statuses=$(curl -s --header "PRIVATE-TOKEN: ${GITLAB_API_TOKEN}" "https://gitlab.com/api/v4/projects/${project_id}/pipelines/${pipeline_id}/jobs?per_page=100" | jq -cr '.[] | select(.stage=="rpmbuild") | .status')
for status in ${statuses}; do
if [ "$status" == "failed" ]; then
echo "Last nightly pipeline ('rpmbuild' stage) failed in osbuild-composer CI. We will not run nightly-internal jobs in CIV."
exit 1
fi
done

commit=$(echo "$pipeline_info" | jq -r '.sha')
echo "$commit"

else
# Capture response and HTTP code to handle GitHub API failures (e.g. 401, 403)
response=$(curl -u "${API_USER}:${API_PAT}" -s -w "%{http_code}" "https://api.github.com/repos/osbuild/osbuild-composer/commits?per_page=100")
http_code="${response: -3}"
body="${response::-3}"

if [ "$http_code" != "200" ]; then
echo "GitHub API Error (HTTP $http_code): $body"
exit 1
fi

commit_list=$(echo "$body" | jq -cr '.[].sha')

# Initialize final_commit to prevent "unbound variable" error if no commit matches
final_commit=""

for commit_sha in ${commit_list}; do
gitlab_status=$(curl -u "${API_USER}:${API_PAT}" -s "https://api.github.com/repos/osbuild/osbuild-composer/commits/${commit_sha}/status" \
| jq -cr '.statuses[] | select(.context == "Schutzbot on GitLab") | .state')
if [[ ${gitlab_status} == "success" ]]; then
final_commit=$commit_sha
break
fi
done

if [[ -z "$final_commit" ]]; then
echo "Error: No successful commits found in the last 100 entries."
exit 1
fi

echo "$final_commit"
fi
}

# Get OS details.
source ci/set-env-variables.sh

Expand Down Expand Up @@ -188,10 +93,9 @@ echo -e "fastestmirror=1" | sudo tee -a /etc/dnf/dnf.conf
# TODO: include this in the jenkins runner (and split test/target machines out)
sudo dnf -y install jq

# Get latest commit from osbuild-composer main branch
GIT_COMMIT=$(get_last_passed_commit)

setup_repo osbuild-composer "${GIT_COMMIT}" 5
# Get pinned commit for osbuild-composer to install RPMs
COMPOSER_GIT_COMMIT=$(jq -r '.["'"${ID}-${VERSION_ID}"'"].dependencies.composer.commit' Schutzfile)
setup_repo osbuild-composer "${COMPOSER_GIT_COMMIT}" 5
Comment on lines +97 to +98
Copy link
Copy Markdown

@sourcery-ai sourcery-ai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: Consider validating the composer commit from Schutzfile before passing it to setup_repo.

get_last_passed_commit used to guarantee a valid commit; now we trust the value from Schutzfile directly. If the key is missing or the value is null/empty, setup_repo will receive an invalid commit and fail later in a confusing way. Please add a check for null/empty here and fail fast with a clear error message mentioning the missing/invalid composer commit for ${ID}-${VERSION_ID}.


OSBUILD_GIT_COMMIT=$(cat Schutzfile | jq -r '.["'"${ID}-${VERSION_ID}"'"].dependencies.osbuild.commit')
if [[ "${OSBUILD_GIT_COMMIT}" != "null" ]]; then
Expand Down
Loading
Loading