bootstrap recert over konflux

[rauhersu]

Summary by CodeRabbit

• Chores
  • Enhanced the container build process to improve dependency management and ensure a more reliable and secure build lifecycle.
• New Features
  • Introduced automated workflows for container image creation triggered by code submissions and updates, integrating robust security and compliance checks for smoother and more efficient image deployment.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rauhersu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rauhersu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The changes update the Dockerfile to refine subscription-manager handling during both build and runtime stages by adjusting repository enablement and adding unregistration steps. In addition, two new Tekton PipelineRun configuration files have been introduced—one for pull-request events and one for push events—to automate container image builds with tasks for initializing the environment, cloning repositories, prefetching dependencies, building images, and running various checks.

Changes

File(s)	Change Summary
.konflux/Dockerfile	Updated subscription-manager commands in both build and runtime stages: refreshing, selectively enabling repositories (three for RHEL 9 and base OS), and adding unregistration. Also includes the installation of the subscription-manager package during runtime alongside openssh-clients.
.tekton/recert-4-19-pull-request.yaml, .tekton/recert-4-19-push.yaml	Introduced two new Tekton PipelineRun configurations for container image builds. Each pipeline defines sequential tasks (environment initialization, repository cloning, dependency prefetching, image building, and various validation checks) with parameters to control execution.

Sequence Diagram(s)

sequenceDiagram
    participant T as Trigger (PR Event)
    participant P as PipelineRun
    participant I as Init Task
    participant C as Clone Task
    participant D as Dependency Task
    participant B as Build Task
    participant V as Validation Task

    T->>P: Start Pipeline (PR)
    P->>I: Initialize build environment
    I->>C: Clone repository
    C->>D: Prefetch dependencies
    D->>B: Build container image
    B->>V: Run security & image checks
    V->>P: Return build results

Loading

sequenceDiagram
    participant T as Trigger (Push Event)
    participant P as PipelineRun
    participant I as Init Task
    participant C as Clone Task
    participant D as Dependency Task
    participant B as Build Task
    participant S as Scan & Tag Task
    participant PU as Push Task

    T->>P: Start Pipeline (Push)
    P->>I: Initialize build environment
    I->>C: Clone repository
    C->>D: Prefetch dependencies
    D->>B: Build container image
    B->>S: Execute scans and tagging
    S->>PU: Conditional push of artifacts
    PU->>P: Complete pipeline execution

Loading

Possibly related PRs

• build under konflux (first approach) #178: Addresses similar Dockerfile modifications for subscription-manager management and package installations.

Suggested reviewers

• omertuc
• fontivan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.tekton/recert-4-19-pull-request.yaml (2)

1-12: Annotation Configuration and Multiline Expression
The metadata annotations (lines 4–12) correctly use substitution variables (e.g. {{revision}}, {{pull_request_number}}) to dynamically inject values. However, the pipelinesascode.tekton.dev/on-cel-expression is split over two lines (lines 11–12). To ensure YAML correctly treats this as a single string, consider either joining the expression into one line or using a YAML folded scalar (for example, using the > indicator).

---

596-614: Workspace and Volume Claim Configuration
The workspace section (lines 596–614) is well defined with a volume claim template requesting 1Gi of storage. This allows tasks to share data effectively. As the pipeline evolves, consider monitoring storage needs to ensure that resource allocation remains optimal.

.tekton/recert-4-19-push.yaml (1)

600-614: Workspace and Volume Claim Template Consistency
The workspace configuration at the end of the file (lines 600–614) properly defines workspaces and includes a volume claim template to allocate persistent storage. This is essential for sharing data among tasks in the pipeline. Keep an eye on storage requirements as the pipeline’s complexity increases.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d7322d and d47aa31.

📒 Files selected for processing (3)

• .konflux/Dockerfile (1 hunks)
• .tekton/recert-4-19-pull-request.yaml (1 hunks)
• .tekton/recert-4-19-push.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Red Hat Konflux / recert-4-19-on-pull-request
• GitHub Check: build

🔇 Additional comments (5)

.tekton/recert-4-19-pull-request.yaml (1)

21-37: Pipeline Parameters and Initial Task Setup
The pipeline parameters (lines 21–31) and the initial portion of the task definitions are comprehensive and clearly defined. The substitution variables (such as {{source_url}}, {{revision}}, etc.) appear consistent across the configuration. Please verify that all referenced values propagate correctly throughout the tasks and that task dependencies match the intended execution order.

.konflux/Dockerfile (2)

6-16: Build Stage Subscription-Manager Handling
In the build stage, the updated commands (lines 6–11) now register the subscription manager, refresh its state, and selectively enable the necessary repositories before installing build-time packages. Following the installation of rust-toolset and protobuf-compiler (lines 13–16), the subscription manager is unregistered to ensure clean-up. This flow improves repository management and minimizes potential side effects from lingering registrations.

---

23-32: Runtime Stage Repository Management
The runtime stage (lines 23–32) mirrors the improvements made in the build stage. The image now installs subscription-manager, performs registration and repository refresh, and enables only the base OS repository required for runtime operations (line 27). The subsequent installation of openssh-clients is immediately followed by a clean-up and unregistration step, which is a good practice.

.tekton/recert-4-19-push.yaml (2)

1-12: Push Pipeline Metadata and Expression Formatting
The metadata annotations in this push pipeline (lines 1–12) are similar to those in the pull-request configuration with appropriate adjustments (such as setting pipelinesascode.tekton.dev/cancel-in-progress to "false"). As with the pull-request file, note that the on-cel-expression spans two lines. Combining the condition into a single line or using a multiline scalar format will help ensure proper YAML parsing.

---

20-120: Comprehensive Task and Parameter Configuration
The pipeline’s parameter definitions and task list (lines 20–120 and beyond) are extensive and appear to cover all necessary build, test, and scanning operations for a push-triggered event. The use of when conditions, task-specific parameters, and dependency ordering demonstrates a thoughtful design. Please verify that all referenced task bundles and resolvers (e.g. buildah, task-clair-scan, etc.) are up-to-date and available in the execution environment.

[fontivan]

/lgtm