Skip to content

Promote integration-service from staging to production#12439

Merged
openshift-merge-bot[bot] merged 1 commit into
redhat-appstudio:mainfrom
dirgim:integration-service-production-update-2026_06_16__11_07_57
Jun 16, 2026
Merged

Promote integration-service from staging to production#12439
openshift-merge-bot[bot] merged 1 commit into
redhat-appstudio:mainfrom
dirgim:integration-service-production-update-2026_06_16__11_07_57

Conversation

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@github-actions

Copy link
Copy Markdown
Contributor

Kustomize Render Diff

Comparing 0e73d2c6df24c739bb

Component Environment Changes
components/integration/production/base production +2 -2
components/integration/production/kflux-fedora-01 production +2 -2
components/integration/production/kflux-ocp-p01 production +2 -2
components/integration/production/kflux-osp-p01 production +2 -2
components/integration/production/kflux-prd-rh02 production +2 -2
components/integration/production/kflux-prd-rh03 production +2 -2
components/integration/production/kflux-rhel-p01 production +2 -2
components/integration/production/stone-prod-p01 production +2 -2
components/integration/production/stone-prod-p02 production +2 -2

Total: 9 components, +18 -18 lines

📋 Full diff available in the workflow summary and as a downloadable artifact.

@codecov

codecov Bot commented Jun 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.32%. Comparing base (0e73d2c) to head (d40b8f3).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main   #12439   +/-   ##
=======================================
  Coverage   53.32%   53.32%           
=======================================
  Files          20       20           
  Lines        1309     1309           
=======================================
  Hits          698      698           
  Misses        539      539           
  Partials       72       72           
Flag Coverage Δ
go 53.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dirgim

dirgim commented Jun 16, 2026

Copy link
Copy Markdown
Member Author

Risk Assessment

Risk Level: Low
Description: This change has been deployed in staging since June 15 and has successfully run the conformance tests with no issues observed. All the PRs attached above have passed through the full integration e2e testing suite (example for the latest commit) on the integration-service repo.
Rollback: All of the changes in this PR can be reverted so the integration service references an earlier commit without the introduced changes.

@sonam1412

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dirgim, Josh-Everett, kasemAlem, sonam1412

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@maneeshmehra

Copy link
Copy Markdown

Approved.

@maneeshmehra

Copy link
Copy Markdown

/agentic_review

@maneeshmehra

Copy link
Copy Markdown

Production Approval Record

Field Value
Action APPROVED
Reviewer @maneeshmehra
Timestamp 2026-06-16T17:07:15.940Z
Risk Level low

This PR is now approved.

@qodo-for-redhat-appstudio

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Grey Divider


Remediation recommended

1. Unpinned image digest 🐞 Bug ⛨ Security
Description
Production pins quay.io/konflux-ci/integration-service by tag only (no sha256 digest), so if that
tag is ever retargeted the deployed bits can change without a manifest change and weaken
rollback/auditability. This repo already uses digest pinning for other production components, making
integration-service an inconsistent (weaker) supply-chain link.
Code

components/integration/production/base/kustomization.yaml[R10-12]

- name: quay.io/konflux-ci/integration-service
  newName: quay.io/konflux-ci/integration-service
-  newTag: 83730ca82bddf00603e2f0dc77a7aaa49bd8321b
+  newTag: bd638fb264185d87276c1c53f915fdc8ccb5f82d
Evidence
Integration production uses newTag without an immutable digest, while other production components
in this repo pin images with digest: sha256:..., demonstrating that digest-pinning is an
established pattern here.

components/integration/production/base/kustomization.yaml[9-13]
components/crossplane-control-plane/production/kustomization.yaml[11-16]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`components/integration/production/base/kustomization.yaml` pins `quay.io/konflux-ci/integration-service` using `newTag` only. Tags can be retargeted, so production can end up running different bits than what the GitOps repo appears to declare.

### Issue Context
Other components in this repo already pin images immutably using `digest: sha256:...` in the `images:` transformer, which avoids tag-mutation risk.

### Fix Focus Areas
- components/integration/production/base/kustomization.yaml[9-13]

### Implementation notes
- Add the `digest: sha256:<image-digest>` field for `quay.io/konflux-ci/integration-service` (optionally keeping `newTag` for human readability), using the digest corresponding to tag `bd638fb264185d87276c1c53f915fdc8ccb5f82d`.
- Consider applying the same pattern to the integration-service staging/development kustomizations for consistency (optional, but recommended).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

@openshift-merge-bot openshift-merge-bot Bot merged commit be8c50c into redhat-appstudio:main Jun 16, 2026
13 checks passed
oswcab pushed a commit that referenced this pull request Jun 17, 2026
rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants