create hermetic builds#185
create hermetic builds#185openshift-merge-bot[bot] merged 5 commits intorh-ecosystem-edge:mainfrom rauhersu:main.hermetic
Conversation
WalkthroughThis pull request introduces new parameters to two Tekton pipeline configuration files to enforce hermetic builds and prefetch RPM dependencies. It also removes the subscription-manager commands from the Dockerfile. Additionally, new configuration and lockfiles for managing RPM packages during build and runtime have been added in the Changes
Sequence Diagram(s)sequenceDiagram
participant Trigger as User Trigger
participant Pipeline as Tekton Pipeline
participant Prefetch as Prefetch Task
participant Build as Build Task
Trigger->>Pipeline: Initiate Build Process
Pipeline->>Prefetch: Run 'prefetch-dependencies'\n(using parameters: hermetic, prefetch-input, dev-package-managers)
Prefetch-->>Pipeline: Return prefetched dependencies
Pipeline->>Build: Execute build in hermetic mode
Build-->>Pipeline: Build completed
Possibly related PRs
Suggested labels
Suggested reviewers
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (5)
.konflux/rpms.in.yaml (1)
1-6: Fix duplicate wording in comment.On line 3 the comment reads “Choosing a rhel9 rpm from from the build stage image we are currently using.” Removing the duplicate “from” will improve clarity.
- # Choosing a rhel9 rpm from from the build stage image we are currently using. + # Choosing a rhel9 rpm from the build stage image we are currently using..konflux/README.md (4)
1-7: Improve README introductory clarity.In the Overview section (line 4), the phrase “hermetic builds ,required by Konflux Conforma” contains an extra comma. Consider revising to:
“… hermetic builds required by Konflux Conforma …”🧰 Tools
🪛 LanguageTool
[misspelling] ~4-~4: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...in Konflux builds, we need to integrate a RPM lock file management in our workflo...(EN_A_VS_AN)
10-12: Article correction for lock file generation.Change “Generate a rpm lock file” to “Generate an rpm lock file” so that the article correctly reflects the vowel sound starting “rpm”.
-### Generate a rpm lock file +### Generate an rpm lock file🧰 Tools
🪛 LanguageTool
[uncategorized] ~10-~10: Use the indefinite article “an” before nouns that start with a vowel sound.
Context: ... RPM lock file management ### Generate a rpm lock file We will be using a gener...(AI_EN_LECTOR_REPLACEMENT_DETERMINER_A_AN)
27-28: Verb phrasing correction.Consider revising “configured to setup a hermetic build workflow” to “configured to set up a hermetic build workflow” for improved readability and correct verb separation.
-configured to setup a hermetic build workflow +configured to set up a hermetic build workflow🧰 Tools
🪛 LanguageTool
[grammar] ~27-~27: The word “setup” is a noun. The verb is spelled with a white space.
Context: ...es in.tektonhave been configured to setup a hermetic build workflow according to ...(NOUN_VERB_CONFUSION)
47-48: Temporal phrasing improvement.Replace “At time of writing” with “At the time of writing” to enhance clarity.
-At time of writing, this is limited to a `rpm.locks.yaml` file present in the project root. +At the time of writing, this is limited to a `rpm.locks.yaml` file present in the project root.🧰 Tools
🪛 LanguageTool
[misspelling] ~47-~47: Did you mean “At a time”, “At the time”, or “At times”?
Context: ...ions and generate the updated lockfile. At time of writing, this is limited to a `rpm.l...(AT_TIME2)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (5)
.konflux/README.md(1 hunks).konflux/rpms.in.yaml(1 hunks).konflux/rpms.lock.yaml(1 hunks).tekton/recert-4-19-pull-request.yaml(2 hunks).tekton/recert-4-19-push.yaml(2 hunks)
🧰 Additional context used
🪛 LanguageTool
.konflux/README.md
[misspelling] ~4-~4: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...in Konflux builds, we need to integrate a RPM lock file management in our workflo...
(EN_A_VS_AN)
[uncategorized] ~10-~10: Use the indefinite article “an” before nouns that start with a vowel sound.
Context: ... RPM lock file management ### Generate a rpm lock file We will be using a gener...
(AI_EN_LECTOR_REPLACEMENT_DETERMINER_A_AN)
[uncategorized] ~16-~16: Loose punctuation mark.
Context: ...th the following fields: 1. repofiles: the .repo file extracted from the runti...
(UNLIKELY_OPENING_PUNCTUATION)
[grammar] ~27-~27: The word “setup” is a noun. The verb is spelled with a white space.
Context: ...es in .tekton have been configured to setup a hermetic build workflow according to ...
(NOUN_VERB_CONFUSION)
[misspelling] ~47-~47: Did you mean “At a time”, “At the time”, or “At times”?
Context: ...ions and generate the updated lockfile. At time of writing, this is limited to a `rpm.l...
(AT_TIME2)
⏰ Context from checks skipped due to timeout of 90000ms (2)
- GitHub Check: build
- GitHub Check: Red Hat Konflux / recert-4-19-on-pull-request
🔇 Additional comments (7)
.konflux/rpms.in.yaml (2)
7-13: Approve package definitions.The packages for the build stage (
rust-toolsetandprotobuf-compiler) and runtime stage (openssh-clients) are clearly listed.
14-21: Validate architecture and context settings.The
archessection correctly specifiesx86_64, and thecontextsection properly points to the Dockerfile along with the associated image pattern. Ensure that the referenced Dockerfile exists at the specified location..konflux/rpms.lock.yaml (1)
1-198: Lockfile structure looks good.The RPM lock file properly defines the lockfile version, vendor, architectures, and detailed package metadata. Make sure that this file remains auto‐generated from the
rpms.in.yamlto avoid manual drift..tekton/recert-4-19-pull-request.yaml (2)
32-35:Details
❓ Verification inconclusive
New pipeline parameters for hermetic builds.
The addition of the
hermeticparameter set to"true"and theprefetch-inputparameter with the JSON value for RPM dependency prefetching are correctly implemented. Verify that all downstream tasks leverage these parameters as intended.
Please run the above shell script to verify that all downstream tasks leverage the new
hermeticandprefetch-inputparameters as intended.
🏁 Script executed:
#!/bin/bash # Search for downstream usage of the new pipeline parameters (excluding the pipeline definition file) echo "Searching for 'hermetic' references outside of .tekton/recert-4-19-pull-request.yaml..." rg -n "hermetic" . | grep -v ".tekton/recert-4-19-pull-request.yaml" echo "Searching for 'prefetch-input' references outside of .tekton/recert-4-19-pull-request.yaml..." rg -n "prefetch-input" . | grep -v ".tekton/recert-4-19-pull-request.yaml"Length of output: 655
Action Required: Confirm Downstream Parameter Usage
The new pipeline parameters in
.tekton/recert-4-19-pull-request.yaml(lines 32–35)—settinghermeticto"true"and defining theprefetch-inputJSON value—appear to be implemented correctly. However, our automated search did not reveal any references to these parameters in downstream tasks. Please manually verify that the downstream tasks are indeed leveraging thehermeticandprefetch-inputparameters as intended.
196-198:Details
❓ Verification inconclusive
Enable development package managers.
The new parameter
dev-package-managerswith value"true"in the prefetch-dependencies task aligns with the intended configuration for dependency management. Please confirm that tasks expecting this configuration are updated accordingly.
Below is a shell script to search the entire repository for references to
"dev-package-managers". This will help us confirm whether tasks expecting this configuration have been updated accordingly:Once you review the output of this script, please verify that all tasks referencing this parameter align with the intended configuration change made in the prefetch-dependencies task.
🏁 Script executed:
#!/bin/bash # Search for all occurrences of "dev-package-managers" in the repository. rg "dev-package-managers" -n .Length of output: 152
Verify that all tasks correctly use the new configuration for development package managers
For file
.tekton/recert-4-19-pull-request.yamlat lines 196–198, the updated snippet now includes:value: $(params.prefetch-input) - name: dev-package-managers value: "true"This change sets the
dev-package-managersparameter to"true"within the prefetch-dependencies task, which aligns with the intended dependency management configuration. However, the search for occurrences of"dev-package-managers"across the repository did not reveal additional references, so please manually verify that any tasks relying on this parameter have been updated accordingly..tekton/recert-4-19-push.yaml (2)
29-32: Hermetic build parameters in push configuration.The
hermeticandprefetch-inputparameters are consistently defined here to enforce network isolation and prefetch RPM dependencies in push builds.
194-195:Details
✅ Verification successful
Development package managers parameter added.
The inclusion of
dev-package-managersset to"true"in the prefetch-dependencies task is appropriate. Verify compatibility with the existing dependency management framework.
Dependency Management Parameter Verified
The inclusion of the
dev-package-managersparameter (set to"true") in the prefetch-dependencies task in.tekton/recert-4-19-push.yaml(lines 194–195) appears appropriate. Please ensure that integration tests confirm its compatibility with our existing dependency management framework, and that no legacy configurations are adversely affected.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (6)
.konflux/rpms.in.yaml (1)
1-18: Fix YAML Indentation and Newline Issues
There are YAML lint warnings that need addressing:
- Indentation:
- The list item on line 5 is indented with 5 spaces but should use 4 spaces relative to its parent key.
- The
contextblock (lines 15–18) is over-indented (4 spaces) and should be reduced to 2 spaces relative to the root key.- Newline:
- The file lacks a newline at the end (line 18), which is required.
A suggested diff adjustment:
contentOrigin: repofiles: - # Choosing a rhel9 rpm from from the build stage image we are currently using. - # See also the 'imagePattern' matching that below. - - ./redhat.repo + # Choosing a rhel9 rpm from the build stage image we are currently using. + # See also the 'imagePattern' matching that below. + - ./redhat.repo packages: # build stage @@ -context: - containerfile: - file: ./Dockerfile - stageName: build-image +context: + containerfile: + file: ./Dockerfile + stageName: build-imageThen, add a newline at the end of the file.
🧰 Tools
🪛 YAMLlint (1.35.1)
[warning] 5-5: wrong indentation: expected 4 but found 5
(indentation)
[warning] 16-16: wrong indentation: expected 2 but found 4
(indentation)
[error] 18-18: no new line character at the end of file
(new-line-at-end-of-file)
.konflux/README.Konflux.md (5)
4-4: Grammar Correction: Use "an" Instead of "a"
In the sentence “...we need to integrate a RPM lock file management in our workflow...”, change a RPM to an RPM to follow proper grammar rules.🧰 Tools
🪛 LanguageTool
[misspelling] ~4-~4: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...in Konflux builds, we need to integrate a RPM lock file management in our workflo...(EN_A_VS_AN)
10-10: Grammar Correction: Update Indefinite Article
Change the header “Generate a rpm lock file” to “Generate an rpm lock file” for correctness.🧰 Tools
🪛 LanguageTool
[uncategorized] ~10-~10: Use the indefinite article “an” before nouns that start with a vowel sound.
Context: ... RPM lock file management ### Generate a rpm lock file We will be using a gener...(AI_EN_LECTOR_REPLACEMENT_DETERMINER_A_AN)
16-16: Punctuation Suggestion
Review the punctuation in the list item describingrepofiles(line 16). A slight adjustment for clarity—for example, adding a comma if needed—would improve readability.🧰 Tools
🪛 LanguageTool
[uncategorized] ~16-~16: Loose punctuation mark.
Context: ...th the following fields: 1.repofiles: the .repo file extracted from the runti...(UNLIKELY_OPENING_PUNCTUATION)
27-27: Verb Phrase Correction: Use "set up" Instead of "setup"
In the phrase “configured to setup a hermetic build workflow”, change setup to set up since the verb phrase requires a space.🧰 Tools
🪛 LanguageTool
[grammar] ~27-~27: The word “setup” is a noun. The verb is spelled with a white space.
Context: ...es in.tektonhave been configured to setup a hermetic build workflow according to ...(NOUN_VERB_CONFUSION)
47-47: Clarify Timeliness: Add Definite Article
Replace “At time of writing” with “At the time of writing” to improve clarity.🧰 Tools
🪛 LanguageTool
[misspelling] ~47-~47: Did you mean “At a time”, “At the time”, or “At times”?
Context: ...ions and generate the updated lockfile. At time of writing, this is limited to a `rpm.l...(AT_TIME2)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
.konflux/Dockerfile(1 hunks).konflux/README.Konflux.md(1 hunks).konflux/rpms.in.yaml(1 hunks).konflux/rpms.lock.yaml(1 hunks).tekton/recert-4-19-pull-request.yaml(2 hunks).tekton/recert-4-19-push.yaml(2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- .konflux/rpms.lock.yaml
🧰 Additional context used
🪛 Hadolint (2.12.0)
.konflux/Dockerfile
[error] 5-5: Use absolute WORKDIR
(DL3000)
🪛 LanguageTool
.konflux/README.Konflux.md
[misspelling] ~4-~4: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...in Konflux builds, we need to integrate a RPM lock file management in our workflo...
(EN_A_VS_AN)
[uncategorized] ~10-~10: Use the indefinite article “an” before nouns that start with a vowel sound.
Context: ... RPM lock file management ### Generate a rpm lock file We will be using a gener...
(AI_EN_LECTOR_REPLACEMENT_DETERMINER_A_AN)
[uncategorized] ~16-~16: Loose punctuation mark.
Context: ...th the following fields: 1. repofiles: the .repo file extracted from the runti...
(UNLIKELY_OPENING_PUNCTUATION)
[grammar] ~27-~27: The word “setup” is a noun. The verb is spelled with a white space.
Context: ...es in .tekton have been configured to setup a hermetic build workflow according to ...
(NOUN_VERB_CONFUSION)
[misspelling] ~47-~47: Did you mean “At a time”, “At the time”, or “At times”?
Context: ...ions and generate the updated lockfile. At time of writing, this is limited to a `rpm.l...
(AT_TIME2)
🪛 YAMLlint (1.35.1)
.konflux/rpms.in.yaml
[warning] 5-5: wrong indentation: expected 4 but found 5
(indentation)
[warning] 16-16: wrong indentation: expected 2 but found 4
(indentation)
[error] 18-18: no new line character at the end of file
(new-line-at-end-of-file)
⏰ Context from checks skipped due to timeout of 90000ms (2)
- GitHub Check: build
- GitHub Check: Red Hat Konflux / recert-4-19-on-pull-request
🔇 Additional comments (3)
.tekton/recert-4-19-pull-request.yaml (1)
32-35: Add Hermetic Build Parameters
The newhermeticandprefetch-inputparameters are correctly added to enforce network isolation and enable RPM dependency prefetching. Please double-check that downstream tasks and pipelines expect these values and that the quoting is consistent..tekton/recert-4-19-push.yaml (2)
29-32: Ensure Consistent Pipeline Parameters for Hermetic Builds
The newhermeticandprefetch-inputpipeline parameters have been added correctly. Verify that these values are consistently used across the pipeline and match the configuration in the pull request YAML.
194-195: Enable Dev Package Management
The addition of thedev-package-managersparameter in the prefetch-dependencies task helps support dependency management during hermetic builds. This change looks good; please confirm that the downstream tasks use this parameter as expected.
|
|
||
| # build stage | ||
| FROM registry.redhat.io/rhel9-4-els/rhel:9.4-1044 AS build-image | ||
| WORKDIR app |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Use Absolute Paths for WORKDIR
Hadolint recommends the use of absolute paths for the WORKDIR directive. Please update both instances (in the build and runtime stages) as shown below:
-WORKDIR app
+WORKDIR /appThis change enhances clarity and complies with best practices.
Also applies to: 21-21
🧰 Tools
🪛 Hadolint (2.12.0)
[error] 5-5: Use absolute WORKDIR
(DL3000)
|
I will change the hermetic config once again. /hold |
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
.konflux/lock-build/rpms.in.yaml (1)
1-16: Fix Indentation and End-of-File NewlineStatic analysis flags indicate indentation issues:
- Line 4: Expected 4 spaces but found 5.
- Line 14: Expected 2 spaces but found 4.
Additionally, there is no newline at the end of the file. Please adjust the indentation to follow YAML best practices and add a final newline. For example:
-contentOrigin: - repofiles: - # rhel9 rpm repos - - ./redhat.repo +contentOrigin: + repofiles: + # rhel9 rpm repos + - ./redhat.repo-context: - containerfile: - file: ../Dockerfile - stageName: build-image +context: + containerfile: + file: ../Dockerfile + stageName: build-imageFinally, ensure a newline is appended at the end of the file.
🧰 Tools
🪛 YAMLlint (1.35.1)
[warning] 4-4: wrong indentation: expected 4 but found 5
(indentation)
[warning] 14-14: wrong indentation: expected 2 but found 4
(indentation)
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
.konflux/lock-build/rpms.in.yaml(1 hunks).konflux/lock-build/rpms.lock.yaml(1 hunks).konflux/lock-runtime/rpms.in.yaml(1 hunks).konflux/lock-runtime/rpms.lock.yaml(1 hunks).tekton/recert-4-19-pull-request.yaml(2 hunks).tekton/recert-4-19-push.yaml(2 hunks)
✅ Files skipped from review due to trivial changes (3)
- .konflux/lock-build/rpms.lock.yaml
- .konflux/lock-runtime/rpms.in.yaml
- .konflux/lock-runtime/rpms.lock.yaml
🧰 Additional context used
🪛 YAMLlint (1.35.1)
.konflux/lock-build/rpms.in.yaml
[warning] 4-4: wrong indentation: expected 4 but found 5
(indentation)
[warning] 14-14: wrong indentation: expected 2 but found 4
(indentation)
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Red Hat Konflux / recert-4-19-on-pull-request
🔇 Additional comments (4)
.tekton/recert-4-19-pull-request.yaml (2)
32-35: New Parameters for Hermetic Build and Prefetch InputThe addition of the
hermeticparameter (set as"true") and the JSON string forprefetch-inputsuccessfully supports the goal of enforcing hermetic builds and prefetching RPM dependencies. These values will override the defaults provided in the pipeline spec. Please verify that downstream tasks correctly consume these parameters.
197-198: Addition ofdev-package-managersParameterThe new
dev-package-managersparameter set to"true"within theprefetch-dependenciestask is a clear and consistent enhancement to manage build-time dependency resolution. Confirm that all tasks relying on dependency configuration are updated accordingly..tekton/recert-4-19-push.yaml (2)
29-32: New Pipeline Parameters for Hermetic Build in Push PipelineThe parameters
hermeticandprefetch-inputare newly introduced with the expected values ("true"and the appropriate JSON string, respectively). This mirrors the changes made in the pull-request pipeline and upholds a consistent approach. Please double-check that these parameters are properly propagated to all affected tasks.
194-195: Inclusion ofdev-package-managersParameterThe new
dev-package-managersparameter (with value"true") in theprefetch-dependenciestask is correctly integrated to improve dependency handling. Ensure that any downstream processing that relies on this parameter is consistent with this change.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (7)
.konflux/lock-build/rpms.in.yaml (3)
1-5: Indentation Issue in thecontentOriginBlockStatic analysis indicates an indentation anomaly at line 4. The list item (
- ./redhat.repo) is indented more than expected (expected 4 spaces but found 5). Please adjust the indentation to conform with YAML standards to avoid linting warnings.🧰 Tools
🪛 YAMLlint (1.35.1)
[warning] 4-4: wrong indentation: expected 4 but found 5
(indentation)
13-16: Indentation Issue in thecontextBlockThe
containerfilekey appears to be over-indented (expected 2 spaces but found 4). Adjust the indentation of thecontextblock for consistency and compliance with YAML linting.🧰 Tools
🪛 YAMLlint (1.35.1)
[warning] 14-14: wrong indentation: expected 2 but found 4
(indentation)
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
16-16: Missing Newline at End of FileA newline character is missing at the end of the file, which is a common standard for text files. Adding a newline will help prevent potential issues in certain environments and tools.
🧰 Tools
🪛 YAMLlint (1.35.1)
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
.konflux/README.Konflux.md (4)
1-4: Improve Article Usage & Punctuation in OverviewOn line 4, consider revising the sentence for clarity and grammatical accuracy. For example, update:
"When installing external software via RPMs in Konflux builds, we need to integrate a RPM lock file management in our workflow: the primary goal is to ensure that hermetic builds ,required by Konflux Conforma, can pre-fetch RPM dependencies before building the Docker image."
to something like:
"When installing external software via RPMs in Konflux builds, we need to integrate an RPM lock file management system into our workflow: the primary goal is to ensure that hermetic builds, required by Konflux Conforma, can pre-fetch RPM dependencies before building the Docker image."
This small change addresses the extra space before the comma and improves article consistency.
🧰 Tools
🪛 LanguageTool
[misspelling] ~4-~4: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...in Konflux builds, we need to integrate a RPM lock file management in our workflo...(EN_A_VS_AN)
10-11: Header Title CorrectionThe header "Generate a rpm lock file" would be clearer as "Generate an RPM lock file" to conform with proper article usage and capitalization.
🧰 Tools
🪛 LanguageTool
[uncategorized] ~10-~10: Use the indefinite article “an” before nouns that start with a vowel sound.
Context: ... RPM lock file management ### Generate a rpm lock file We will be using a gener...(AI_EN_LECTOR_REPLACEMENT_DETERMINER_A_AN)
29-29: Verb Form CorrectionIn the sentence regarding Tekton configuration, change "configured to setup a hermetic build workflow" to "configured to set up a hermetic build workflow" to correctly use the verb phrase.
🧰 Tools
🪛 LanguageTool
[grammar] ~29-~29: The word “setup” is a noun. The verb is spelled with a white space.
Context: ...es in.tektonhave been configured to setup a hermetic build workflow according to ...(NOUN_VERB_CONFUSION)
49-49: Temporal Expression EnhancementConsider revising "At time of writing" to "At the time of writing" or simply "Currently" for improved readability.
🧰 Tools
🪛 LanguageTool
[misspelling] ~49-~49: Did you mean “At a time”, “At the time”, or “At times”?
Context: ...ions and generate the updated lockfile. At time of writing, this is limited to a `rpm.l...(AT_TIME2)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
.konflux/Dockerfile(1 hunks).konflux/README.Konflux.md(1 hunks).konflux/lock-build/rpms.in.yaml(1 hunks).konflux/lock-build/rpms.lock.yaml(1 hunks).konflux/lock-runtime/rpms.in.yaml(1 hunks).konflux/lock-runtime/rpms.lock.yaml(1 hunks).tekton/recert-4-19-pull-request.yaml(2 hunks).tekton/recert-4-19-push.yaml(2 hunks)
🚧 Files skipped from review as they are similar to previous changes (4)
- .konflux/lock-runtime/rpms.in.yaml
- .konflux/lock-runtime/rpms.lock.yaml
- .tekton/recert-4-19-push.yaml
- .tekton/recert-4-19-pull-request.yaml
🧰 Additional context used
🪛 Hadolint (2.12.0)
.konflux/Dockerfile
[error] 5-5: Use absolute WORKDIR
(DL3000)
🪛 LanguageTool
.konflux/README.Konflux.md
[misspelling] ~4-~4: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...in Konflux builds, we need to integrate a RPM lock file management in our workflo...
(EN_A_VS_AN)
[uncategorized] ~10-~10: Use the indefinite article “an” before nouns that start with a vowel sound.
Context: ... RPM lock file management ### Generate a rpm lock file We will be using a gener...
(AI_EN_LECTOR_REPLACEMENT_DETERMINER_A_AN)
[uncategorized] ~18-~18: Loose punctuation mark.
Context: ...th the following fields: 1. repofiles: the .repo file extracted from the runti...
(UNLIKELY_OPENING_PUNCTUATION)
[grammar] ~29-~29: The word “setup” is a noun. The verb is spelled with a white space.
Context: ...es in .tekton have been configured to setup a hermetic build workflow according to ...
(NOUN_VERB_CONFUSION)
[misspelling] ~49-~49: Did you mean “At a time”, “At the time”, or “At times”?
Context: ...ions and generate the updated lockfile. At time of writing, this is limited to a `rpm.l...
(AT_TIME2)
🪛 YAMLlint (1.35.1)
.konflux/lock-build/rpms.in.yaml
[warning] 4-4: wrong indentation: expected 4 but found 5
(indentation)
[warning] 14-14: wrong indentation: expected 2 but found 4
(indentation)
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Red Hat Konflux / recert-4-19-on-pull-request
🔇 Additional comments (8)
.konflux/lock-build/rpms.lock.yaml (1)
1-170: Overall Schema & Structure ValidationThe RPM lock file for the build configuration is well structured and clearly defines the expected attributes (e.g.,
lockfileVersion,arches,packages). The package entries include comprehensive metadata (URL, repoid, size, checksum, name, evr, sourcerpm), which will help ensure reproducible and verifiable builds.Please ensure that any future modifications to the lockfile remain consistent with the deployment schema and that any internal tooling validating these files is updated accordingly.
.konflux/lock-build/rpms.in.yaml (1)
1-16: Overall File ReviewThe configuration in this file is clear and directly supports the hermetic build process by listing the required packages and specifying the build context. Once the indentation and EOF newline issues are fixed, the file should be ready.
🧰 Tools
🪛 YAMLlint (1.35.1)
[warning] 4-4: wrong indentation: expected 4 but found 5
(indentation)
[warning] 14-14: wrong indentation: expected 2 but found 4
(indentation)
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
.konflux/Dockerfile (5)
1-4: Subscription-Manager Commands RemovalThe removal of subscription-manager commands in this Dockerfile aligns with the goal of creating a hermetic build environment. The current instructions now focus on installing the essential packages and cleaning up appropriately.
5-5: Use Absolute Path for WORKDIR in Build StageFor clarity and to adhere to best practices (as noted in previous reviews), please change the WORKDIR from a relative path to an absolute one. For example:
- WORKDIR app + WORKDIR /app🧰 Tools
🪛 Hadolint (2.12.0)
[error] 5-5: Use absolute WORKDIR
(DL3000)
8-10: Efficient Package Installation CommandThe RUN command in the build stage is succinct and cleans up after installation. No changes are needed here.
21-21: Use Absolute Path for WORKDIR in Runtime StageSimilarly, in the runtime stage, update the WORKDIR to an absolute path for consistency:
- WORKDIR app + WORKDIR /app🧰 Tools
🪛 Hadolint (2.12.0)
[error] 21-21: Use absolute WORKDIR
(DL3000)
15-24: Runtime Stage CleanlinessThe runtime stage focuses on installing minimal packages (such as
openssh-clients) and cleaning up after installation. This aligns well with the hermetic build philosophy.🧰 Tools
🪛 Hadolint (2.12.0)
[error] 21-21: Use absolute WORKDIR
(DL3000)
.konflux/README.Konflux.md (1)
1-50: Overall README EvaluationThe README provides comprehensive documentation covering RPM lock file management and the hermetic build workflow. After incorporating the minor grammatical and stylistic corrections suggested above, the document will effectively guide developers through the updated process.
🧰 Tools
🪛 LanguageTool
[misspelling] ~4-~4: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...in Konflux builds, we need to integrate a RPM lock file management in our workflo...(EN_A_VS_AN)
[uncategorized] ~10-~10: Use the indefinite article “an” before nouns that start with a vowel sound.
Context: ... RPM lock file management ### Generate a rpm lock file We will be using a gener...(AI_EN_LECTOR_REPLACEMENT_DETERMINER_A_AN)
[uncategorized] ~18-~18: Loose punctuation mark.
Context: ...th the following fields: 1.repofiles: the .repo file extracted from the runti...(UNLIKELY_OPENING_PUNCTUATION)
[grammar] ~29-~29: The word “setup” is a noun. The verb is spelled with a white space.
Context: ...es in.tektonhave been configured to setup a hermetic build workflow according to ...(NOUN_VERB_CONFUSION)
[misspelling] ~49-~49: Did you mean “At a time”, “At the time”, or “At times”?
Context: ...ions and generate the updated lockfile. At time of writing, this is limited to a `rpm.l...(AT_TIME2)
|
/unhold Blocked by a bug in the coverity task: konflux-ci/build-definitions#2096 |
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fontivan, rauhersu The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 79eecb2
into
rh-ecosystem-edge:main
2 participants
Summary by CodeRabbit
New Features
Documentation
Chores