From ffaa929aafbc5f61cd9f2ff928885eeb78f5e643 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 26 Nov 2025 12:10:54 +0100 Subject: [PATCH 1/7] Adjust codeowners --- .github/CODEOWNERS | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 4b4b30852c..f3cfcde767 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -8,10 +8,10 @@ RELEASED_VERSIONS @stackrox/collector-team RELEASED_VERSIONS.unsupported @stackrox/collector-team -# The RHTAP maintainers for ACS review all changes related to the Konflux pipelines, such as new -# pipelines, parameter changes or automated task updates as well as Dockerfile updates. -# rhacs-bot auto-approves MintMaker PRs for automated task and security updates. -**/konflux.*Dockerfile @stackrox/rhtap-maintainers @rhacs-bot -/.tekton/ @stackrox/rhtap-maintainers @rhacs-bot -rpms.* @stackrox/rhtap-maintainers @rhacs-bot -.github/renovate.json5 @stackrox/rhtap-maintainers +# The Konflux maintainers for ACS review all changes related to the Konflux pipelines, Dockerfiles, etc. +# Release engineers need to merge MintMaker PRs at the time of release. +# rhacs-bot needs ability to auto-approve MintMaker PRs for automated task and security updates. +**/konflux.*Dockerfile @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +/.tekton/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +rpms.* @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +.github/renovate.json5 @stackrox/konflux-maintainers From 52f9bba6a87ce6738f773ef3f15554c3cc14632e Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 26 Nov 2025 12:27:10 +0100 Subject: [PATCH 2/7] Switch auto-approve away from `pull_request_target` `pull_request` is less insecure and should be sufficient. --- .github/workflows/auto-approve.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 5277bbace8..85579a05dc 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -1,7 +1,7 @@ name: auto-merge on: - pull_request_target: + pull_request: types: - labeled From 921b48f86eb07acfead35dc36507994d110a551c Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 26 Nov 2025 12:27:54 +0100 Subject: [PATCH 3/7] Restore formatting of the collector pipeline --- .tekton/collector-component-pipeline.yaml | 69 ++++++++++++++++------- 1 file changed, 48 insertions(+), 21 deletions(-) diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml index 25206161e8..b7894a827c 100644 --- a/.tekton/collector-component-pipeline.yaml +++ b/.tekton/collector-component-pipeline.yaml @@ -2,8 +2,11 @@ apiVersion: tekton.dev/v1 kind: Pipeline metadata: name: collector-component-pipeline + spec: + finally: + - name: slack-notification params: - name: message @@ -11,10 +14,10 @@ spec: - name: key-name value: 'acs-konflux-notifications' when: - # Run when any task has Failed + # Run when any task has Failed - input: $(tasks.status) operator: in - values: ["Failed"] + values: [ "Failed" ] taskRef: params: - name: name @@ -24,6 +27,7 @@ spec: - name: kind value: task resolver: bundles + - name: show-sbom params: - name: IMAGE_URL @@ -37,6 +41,7 @@ spec: - name: kind value: task resolver: bundles + - name: post-metric-end params: - name: AGGREGATE_TASKS_STATUS @@ -50,6 +55,7 @@ spec: - name: kind value: task resolver: bundles + params: - description: Source Repository URL name: git-url @@ -125,6 +131,7 @@ spec: on the cluster: https://konflux.pages.redhat.com/docs/users/getting-started/multi-platform-builds.html name: build-platforms type: array + results: - description: "" name: IMAGE_URL @@ -138,17 +145,20 @@ spec: - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) + workspaces: - name: git-auth + tasks: + - name: post-metric-start taskRef: *post-bigquery-metrics-ref - name: init params: - name: image-url - # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) - # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with - # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. + # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) + # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with + # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. value: $(params.output-image-repo):konflux-$(params.revision) - name: rebuild value: $(params.rebuild) @@ -161,6 +171,7 @@ spec: - name: kind value: task resolver: bundles + - name: clone-repository params: - name: url @@ -189,10 +200,11 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] workspaces: - name: basic-auth workspace: git-auth + - name: determine-image-expiration params: - name: DEFAULT_IMAGE_EXPIRES_AFTER @@ -208,6 +220,7 @@ spec: - name: kind value: task resolver: bundles + - name: determine-image-tag params: - name: TAG_SUFFIX @@ -223,6 +236,7 @@ spec: - name: kind value: task resolver: bundles + - name: prefetch-dependencies params: - name: input @@ -235,7 +249,7 @@ spec: value: $(params.oci-artifact-expires-after) - name: ACTIVATION_KEY value: subscription-manager-activation-key-prod - # Required for the RPM prefetching support. + # Required for the RPM prefetching support. - name: dev-package-managers value: "true" taskRef: @@ -250,6 +264,7 @@ spec: workspaces: - name: git-basic-auth workspace: git-auth + - name: build-images matrix: params: @@ -285,7 +300,7 @@ spec: - name: BUILDAH_FORMAT value: $(params.buildah-format) - name: LABELS - value: ["$(params.extra-labels[*])"] + value: [ "$(params.extra-labels[*])" ] - name: BUILD_TIMESTAMP value: "$(tasks.clone-repository.results.commit-timestamp)" taskRef: @@ -300,8 +315,9 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] timeout: 1h30m0s + - name: build-image-index params: - name: IMAGE @@ -328,7 +344,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: apply-index-image-tag params: - name: IMAGE_URL @@ -350,7 +367,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: build-source-image params: - name: BINARY_IMAGE @@ -373,10 +391,11 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] - input: $(params.build-source-image) operator: in - values: ["true"] + values: [ "true" ] + - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -395,7 +414,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: clair-scan matrix: params: @@ -419,7 +439,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: ecosystem-cert-preflight-checks matrix: params: @@ -441,7 +462,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-shell-check params: - name: image-digest @@ -464,7 +486,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-unicode-check params: - name: image-digest @@ -487,7 +510,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-snyk-check params: - name: SOURCE_ARTIFACT @@ -510,7 +534,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: clamav-scan matrix: params: @@ -534,7 +559,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: rpms-signature-scan params: - name: image-digest @@ -553,7 +579,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: push-dockerfile params: - name: IMAGE From 008095b2eab80f07825bbd89ddb9aa13452b7be8 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 26 Nov 2025 12:28:12 +0100 Subject: [PATCH 4/7] Add workflow for tagging human Konflux-maintainers for review --- .github/workflows/tag-more-reviewers.yaml | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/tag-more-reviewers.yaml diff --git a/.github/workflows/tag-more-reviewers.yaml b/.github/workflows/tag-more-reviewers.yaml new file mode 100644 index 0000000000..f4233751ca --- /dev/null +++ b/.github/workflows/tag-more-reviewers.yaml @@ -0,0 +1,30 @@ +name: Tag more reviewers + +on: + pull_request: + types: + - review_requested + +jobs: + tag-konflux-maintainers: + # We have lots of PR traffic from MintMaker (acting as `red-hat-konflux[bot]`), and so it's unsustainable to go + # through these emails every day. Therefore, the notifications are disabled for `konflux-maintainers-no-email` + # team that's set as owner in CODEOWNERS for the Konflux stuff. + # At the same time, we want to be notified when humans, not the bot, request reviews (which happens automatically + # again through CODEOWNERS) for the Konflux-related files. This job invites `konflux-maintainers` team for review + # for such cases. + if: | + github.event.requested_team.name == 'konflux-maintainers-no-email' && + github.event.pull_request.user.login != 'red-hat-konflux[bot]' + env: + GH_TOKEN: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }} + runs-on: ubuntu-latest + steps: + - name: Tag Konflux Maintainers for review + run: | + exec gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers" \ + --input - <<< '{ "team_reviewers": [ "konflux-maintainers" ] }' From 7bca5a77c65c4ffa3a2c778b6d618f18a02e41dc Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 28 Nov 2025 12:17:28 +0100 Subject: [PATCH 5/7] Correct articles in the comment --- .github/CODEOWNERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index f3cfcde767..9c36e65ca5 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -8,9 +8,9 @@ RELEASED_VERSIONS @stackrox/collector-team RELEASED_VERSIONS.unsupported @stackrox/collector-team -# The Konflux maintainers for ACS review all changes related to the Konflux pipelines, Dockerfiles, etc. -# Release engineers need to merge MintMaker PRs at the time of release. -# rhacs-bot needs ability to auto-approve MintMaker PRs for automated task and security updates. +# Konflux maintainers for ACS review all changes related to the Konflux pipelines, Dockerfiles, etc. +# Release engineers need to merge MintMaker PRs at the time of the release. +# rhacs-bot needs an ability to auto-approve MintMaker PRs for automated task and security updates. **/konflux.*Dockerfile @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot /.tekton/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot rpms.* @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot From 1869384eb1bc0cabe5a677b5e0f95bc9c198021b Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 28 Nov 2025 12:18:11 +0100 Subject: [PATCH 6/7] Pin ubuntu version for consistency and stability --- .github/workflows/add-new-pr-to-oss-triaging.yml | 2 +- .github/workflows/auto-approve.yml | 2 +- .github/workflows/tag-more-reviewers.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/add-new-pr-to-oss-triaging.yml b/.github/workflows/add-new-pr-to-oss-triaging.yml index 3d8a6c9029..6f7c48ec65 100644 --- a/.github/workflows/add-new-pr-to-oss-triaging.yml +++ b/.github/workflows/add-new-pr-to-oss-triaging.yml @@ -9,7 +9,7 @@ env: jobs: check-pr-if-external: name: Add external label to pull request if outside StackRox - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: GH_TOKEN: ${{ github.token }} BASE_REPO: ${{ github.repository }} diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 85579a05dc..4daa54c89c 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -8,7 +8,7 @@ on: jobs: auto-approve: name: Auto-approve Konflux updates for default branch - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: github.actor == 'red-hat-konflux[bot]' && github.event.label.name == 'auto-approve' && github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch steps: - env: diff --git a/.github/workflows/tag-more-reviewers.yaml b/.github/workflows/tag-more-reviewers.yaml index f4233751ca..d097d49324 100644 --- a/.github/workflows/tag-more-reviewers.yaml +++ b/.github/workflows/tag-more-reviewers.yaml @@ -18,7 +18,7 @@ jobs: github.event.pull_request.user.login != 'red-hat-konflux[bot]' env: GH_TOKEN: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Tag Konflux Maintainers for review run: | From 70973413e50275282d6704e4b28fdb310693d75d Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 3 Dec 2025 11:43:39 +0100 Subject: [PATCH 7/7] Switch to a simpler way to tag reviewers with `gh` cli Credits to Tomek https://github.com/stackrox/stackrox/pull/17968#discussion_r2565756846 --- .github/workflows/tag-more-reviewers.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tag-more-reviewers.yaml b/.github/workflows/tag-more-reviewers.yaml index d097d49324..4b94157c38 100644 --- a/.github/workflows/tag-more-reviewers.yaml +++ b/.github/workflows/tag-more-reviewers.yaml @@ -22,9 +22,5 @@ jobs: steps: - name: Tag Konflux Maintainers for review run: | - exec gh api \ - --method POST \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers" \ - --input - <<< '{ "team_reviewers": [ "konflux-maintainers" ] }' + gh pr --repo "${{ github.repository }}" edit "${{ github.event.pull_request.number }}" \ + --add-reviewer stackrox/konflux-maintainers