From 62057512070f523b4c2a5586ad0b3bfe9552055e Mon Sep 17 00:00:00 2001 From: Aleksandr Kurlov Date: Tue, 30 Sep 2025 14:00:18 +0200 Subject: [PATCH 1/4] Add post fbc builds comment --- .tekton/show-comment-fbc-builds.yaml | 76 ++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 .tekton/show-comment-fbc-builds.yaml diff --git a/.tekton/show-comment-fbc-builds.yaml b/.tekton/show-comment-fbc-builds.yaml new file mode 100644 index 00000000..a2735a5a --- /dev/null +++ b/.tekton/show-comment-fbc-builds.yaml @@ -0,0 +1,76 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/operator-index?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # The on-push filter includes konflux/* branches which are created by Mintmaker so that CI runs for commits pushed + # onto these branches even without PRs and so that Mintmaker/Renovate can automerge its updates without PRs. + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|konflux/references/master|konflux/mintmaker/.*)$")) || + (event == "pull_request" && body.action != "ready_for_review") + labels: + appstudio.openshift.io/application: acs-operator-index-ocp-v4-19 + name: post-fbc-builds-comment + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + + taskRunTemplate: + # This pipeline doesn't have its own Component, but it has to have some ServiceAccount. + # The pipeline has no special needs for SA, therefore, we re-use SA from one of the existing Components. + serviceAccountName: build-pipeline-operator-index-ocp-v4-19 + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineSpec: + description: | + This pipeline posts a comment in the PR with the FBC build image URL. + + spec: + params: + - name: pr_number + description: Pull request number + type: string + - name: github_token + description: GitHub token for bot + type: string + - name: image_url + description: Image URL to post + type: string + steps: + - name: show-fbc-build-images + image: registry.redhat.io/rhel9/python-311@sha256:47e23afaf5daf6a98e76a3b5a924b85bbcb19c72b5c6ac474a418aea54cd8aae + env: + - name: GITHUB_TOKEN + value: "$(params.github_token)" + script: | + #!/usr/bin/env python3 + import os + import requests + + pr_number = "$(params.pr_number)" + image_url = "$(params.image_url)" + token = os.environ["GITHUB_TOKEN"] + + url = f"https://api.github.com/repos/stackrox/operator-index/issues/{pr_number}/comments" + headers = { + "Authorization": f"token {token}", + "Accept": "application/vnd.github.v3+json" + } + data = {"body": f"Build image URL: {image_url}"} + resp = requests.post(url, headers=headers, json=data) + print("Status:", resp.status_code) + print("Response:", resp.text) \ No newline at end of file From a5bbebdba3f8bd078758ad6a13456358218f7df8 Mon Sep 17 00:00:00 2001 From: Aleksandr Kurlov Date: Tue, 30 Sep 2025 14:10:24 +0200 Subject: [PATCH 2/4] Update struct --- .tekton/show-comment-fbc-builds.yaml | 96 ++++++++++++++++++---------- 1 file changed, 64 insertions(+), 32 deletions(-) diff --git a/.tekton/show-comment-fbc-builds.yaml b/.tekton/show-comment-fbc-builds.yaml index a2735a5a..69daf00f 100644 --- a/.tekton/show-comment-fbc-builds.yaml +++ b/.tekton/show-comment-fbc-builds.yaml @@ -39,38 +39,70 @@ spec: description: | This pipeline posts a comment in the PR with the FBC build image URL. - spec: params: - - name: pr_number - description: Pull request number - type: string - - name: github_token - description: GitHub token for bot - type: string - - name: image_url - description: Image URL to post - type: string - steps: - - name: show-fbc-build-images - image: registry.redhat.io/rhel9/python-311@sha256:47e23afaf5daf6a98e76a3b5a924b85bbcb19c72b5c6ac474a418aea54cd8aae - env: - - name: GITHUB_TOKEN - value: "$(params.github_token)" - script: | - #!/usr/bin/env python3 - import os - import requests + - description: Source Repository URL + name: git-url + type: string + - description: Revision of the Source Repository + name: revision + type: string + - default: quay.io/rhacs-eng/stackrox-operator-index + description: Intermediate Image Repository + name: oci-repo + type: string + - default: "1d" + description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after + which they can be garbage collected. + name: oci-artifact-expires-after + type: string - pr_number = "$(params.pr_number)" - image_url = "$(params.image_url)" - token = os.environ["GITHUB_TOKEN"] + workspaces: + - name: git-auth - url = f"https://api.github.com/repos/stackrox/operator-index/issues/{pr_number}/comments" - headers = { - "Authorization": f"token {token}", - "Accept": "application/vnd.github.v3+json" - } - data = {"body": f"Build image URL: {image_url}"} - resp = requests.post(url, headers=headers, json=data) - print("Status:", resp.status_code) - print("Response:", resp.text) \ No newline at end of file + tasks: + + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.oci-repo):konflux-ready-for-master-merge-$(params.revision).git + - name: ociArtifactExpiresAfter + value: $(params.oci-artifact-expires-after) + taskRef: + params: + - name: pr_number + description: Pull request number + type: string + - name: github_token + description: GitHub token for bot + type: string + - name: image_url + description: Image URL to post + type: string + steps: + - name: show-fbc-build-images + image: registry.redhat.io/rhel9/python-311@sha256:47e23afaf5daf6a98e76a3b5a924b85bbcb19c72b5c6ac474a418aea54cd8aae + env: + - name: GITHUB_TOKEN + value: "$(params.github_token)" + script: | + #!/usr/bin/env python3 + import os + import requests + + pr_number = "$(params.pr_number)" + image_url = "$(params.image_url)" + token = os.environ["GITHUB_TOKEN"] + + url = f"https://api.github.com/repos/stackrox/operator-index/issues/{pr_number}/comments" + headers = { + "Authorization": f"token {token}", + "Accept": "application/vnd.github.v3+json" + } + data = {"body": f"Build image URL: {image_url}"} + resp = requests.post(url, headers=headers, json=data) + print("Status:", resp.status_code) + print("Response:", resp.text) \ No newline at end of file From 954bc5ccaa7d465ead7af5ffd48a0457bbf7f532 Mon Sep 17 00:00:00 2001 From: Aleksandr Kurlov Date: Thu, 2 Oct 2025 13:59:45 +0200 Subject: [PATCH 3/4] Add task to each operator build --- .tekton/operator-index-ocp-v4-19-build.yaml | 3 + .tekton/operator-index-pipeline.yaml | 18 ++++ .tekton/post-pr-comment-fbc-build.yaml | 42 ++++++++ .tekton/show-comment-fbc-builds.yaml | 108 -------------------- .vscode/settings.json | 7 ++ 5 files changed, 70 insertions(+), 108 deletions(-) create mode 100644 .tekton/post-pr-comment-fbc-build.yaml delete mode 100644 .tekton/show-comment-fbc-builds.yaml create mode 100644 .vscode/settings.json diff --git a/.tekton/operator-index-ocp-v4-19-build.yaml b/.tekton/operator-index-ocp-v4-19-build.yaml index 164be7b3..17089c36 100644 --- a/.tekton/operator-index-ocp-v4-19-build.yaml +++ b/.tekton/operator-index-ocp-v4-19-build.yaml @@ -40,6 +40,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-pipeline.yaml b/.tekton/operator-index-pipeline.yaml index 6bcb5338..ceea36a9 100644 --- a/.tekton/operator-index-pipeline.yaml +++ b/.tekton/operator-index-pipeline.yaml @@ -292,6 +292,24 @@ spec: - input: $(tasks.init.results.build) operator: in values: [ "true" ] + + - name: post-pr-comment-fbc-build + params: + - name: REPO + value: stackrox/operator-index + - name: PR_NUMBER + value: $(context.pipelineRun.annotations['build.appstudio.redhat.com/pull_request_number']) + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + workspaces: + - name: github-auth + workspace: git-auth + taskRef: + name: post-pr-comment-fbc-build + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - name: deprecated-base-image-check params: diff --git a/.tekton/post-pr-comment-fbc-build.yaml b/.tekton/post-pr-comment-fbc-build.yaml new file mode 100644 index 00000000..a6ccca99 --- /dev/null +++ b/.tekton/post-pr-comment-fbc-build.yaml @@ -0,0 +1,42 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: post-pr-comment-fbc-build +spec: + params: + - name: REPO + type: string + description: GitHub repo in 'owner/repo' format + - name: PR_NUMBER + type: string + description: PR number to post to + - name: IMAGE_URL + type: string + description: FBC build image URL to post as a comment + workspaces: + - name: github-auth + description: Workspace with the GitHub token secret + steps: + - name: show-fbc-build-images + image: registry.redhat.io/rhel9/python-311@sha256:47e23afaf5daf6a98e76a3b5a924b85bbcb19c72b5c6ac474a418aea54cd8aae + env: + - name: GITHUB_TOKEN + value: "$(params.github_token)" + script: | + #!/usr/bin/env python3 + import os + import requests + + pr_number = os.environ["PR_NUMBER"] + image_url = os.environ["IMAGE_URL"] + token = os.environ["GITHUB_TOKEN"] + + url = f"https://api.github.com/repos/stackrox/operator-index/issues/{pr_number}/comments" + headers = { + "Authorization": f"token {token}", + "Accept": "application/vnd.github.v3+json" + } + data = {"body": f"Build image URL: {image_url}"} + resp = requests.post(url, headers=headers, json=data) + print("Status:", resp.status_code) + print("Response:", resp.text) \ No newline at end of file diff --git a/.tekton/show-comment-fbc-builds.yaml b/.tekton/show-comment-fbc-builds.yaml deleted file mode 100644 index 69daf00f..00000000 --- a/.tekton/show-comment-fbc-builds.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/stackrox/operator-index?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "500" - # The on-push filter includes konflux/* branches which are created by Mintmaker so that CI runs for commits pushed - # onto these branches even without PRs and so that Mintmaker/Renovate can automerge its updates without PRs. - pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|konflux/references/master|konflux/mintmaker/.*)$")) || - (event == "pull_request" && body.action != "ready_for_review") - labels: - appstudio.openshift.io/application: acs-operator-index-ocp-v4-19 - name: post-fbc-builds-comment - namespace: rh-acs-tenant - -spec: - - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - taskRunTemplate: - # This pipeline doesn't have its own Component, but it has to have some ServiceAccount. - # The pipeline has no special needs for SA, therefore, we re-use SA from one of the existing Components. - serviceAccountName: build-pipeline-operator-index-ocp-v4-19 - - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - pipelineSpec: - description: | - This pipeline posts a comment in the PR with the FBC build image URL. - - params: - - description: Source Repository URL - name: git-url - type: string - - description: Revision of the Source Repository - name: revision - type: string - - default: quay.io/rhacs-eng/stackrox-operator-index - description: Intermediate Image Repository - name: oci-repo - type: string - - default: "1d" - description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after - which they can be garbage collected. - name: oci-artifact-expires-after - type: string - - workspaces: - - name: git-auth - - tasks: - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: ociStorage - value: $(params.oci-repo):konflux-ready-for-master-merge-$(params.revision).git - - name: ociArtifactExpiresAfter - value: $(params.oci-artifact-expires-after) - taskRef: - params: - - name: pr_number - description: Pull request number - type: string - - name: github_token - description: GitHub token for bot - type: string - - name: image_url - description: Image URL to post - type: string - steps: - - name: show-fbc-build-images - image: registry.redhat.io/rhel9/python-311@sha256:47e23afaf5daf6a98e76a3b5a924b85bbcb19c72b5c6ac474a418aea54cd8aae - env: - - name: GITHUB_TOKEN - value: "$(params.github_token)" - script: | - #!/usr/bin/env python3 - import os - import requests - - pr_number = "$(params.pr_number)" - image_url = "$(params.image_url)" - token = os.environ["GITHUB_TOKEN"] - - url = f"https://api.github.com/repos/stackrox/operator-index/issues/{pr_number}/comments" - headers = { - "Authorization": f"token {token}", - "Accept": "application/vnd.github.v3+json" - } - data = {"body": f"Build image URL: {image_url}"} - resp = requests.post(url, headers=headers, json=data) - print("Status:", resp.status_code) - print("Response:", resp.text) \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..1b76004a --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,7 @@ +{ + "cSpell.words": [ + "goccy", + "mediatype", + "rhacs" + ] +} \ No newline at end of file From 1ce3ad4a994b8f1f4f7e183d49c38a408e1db6e4 Mon Sep 17 00:00:00 2001 From: Aleksandr Kurlov Date: Tue, 14 Oct 2025 12:11:43 +0200 Subject: [PATCH 4/4] Add secrets to all components --- .tekton/operator-index-ocp-v4-12-build.yaml | 3 +++ .tekton/operator-index-ocp-v4-13-build.yaml | 3 +++ .tekton/operator-index-ocp-v4-14-build.yaml | 3 +++ .tekton/operator-index-ocp-v4-15-build.yaml | 3 +++ .tekton/operator-index-ocp-v4-16-build.yaml | 3 +++ .tekton/operator-index-ocp-v4-17-build.yaml | 3 +++ .tekton/operator-index-ocp-v4-18-build.yaml | 3 +++ .tekton/operator-index-pipeline.yaml | 7 +++++-- .tekton/post-pr-comment-fbc-build.yaml | 2 +- 9 files changed, 27 insertions(+), 3 deletions(-) diff --git a/.tekton/operator-index-ocp-v4-12-build.yaml b/.tekton/operator-index-ocp-v4-12-build.yaml index f8507e9f..86aed7b8 100644 --- a/.tekton/operator-index-ocp-v4-12-build.yaml +++ b/.tekton/operator-index-ocp-v4-12-build.yaml @@ -45,6 +45,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-ocp-v4-13-build.yaml b/.tekton/operator-index-ocp-v4-13-build.yaml index 2cb0ab40..1564318b 100644 --- a/.tekton/operator-index-ocp-v4-13-build.yaml +++ b/.tekton/operator-index-ocp-v4-13-build.yaml @@ -44,6 +44,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-ocp-v4-14-build.yaml b/.tekton/operator-index-ocp-v4-14-build.yaml index e669f805..85550de7 100644 --- a/.tekton/operator-index-ocp-v4-14-build.yaml +++ b/.tekton/operator-index-ocp-v4-14-build.yaml @@ -40,6 +40,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-ocp-v4-15-build.yaml b/.tekton/operator-index-ocp-v4-15-build.yaml index 35d741c5..48c3590d 100644 --- a/.tekton/operator-index-ocp-v4-15-build.yaml +++ b/.tekton/operator-index-ocp-v4-15-build.yaml @@ -40,6 +40,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-ocp-v4-16-build.yaml b/.tekton/operator-index-ocp-v4-16-build.yaml index fb909b68..5b575e6b 100644 --- a/.tekton/operator-index-ocp-v4-16-build.yaml +++ b/.tekton/operator-index-ocp-v4-16-build.yaml @@ -40,6 +40,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-ocp-v4-17-build.yaml b/.tekton/operator-index-ocp-v4-17-build.yaml index 0e466acb..95144e2c 100644 --- a/.tekton/operator-index-ocp-v4-17-build.yaml +++ b/.tekton/operator-index-ocp-v4-17-build.yaml @@ -40,6 +40,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-ocp-v4-18-build.yaml b/.tekton/operator-index-ocp-v4-18-build.yaml index 92d099d3..3e86bb26 100644 --- a/.tekton/operator-index-ocp-v4-18-build.yaml +++ b/.tekton/operator-index-ocp-v4-18-build.yaml @@ -40,6 +40,9 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: github-auth + secret: + secretName: rhacs-github-bot-token pipelineRef: name: operator-index-pipeline diff --git a/.tekton/operator-index-pipeline.yaml b/.tekton/operator-index-pipeline.yaml index 43ed1967..52fbac37 100644 --- a/.tekton/operator-index-pipeline.yaml +++ b/.tekton/operator-index-pipeline.yaml @@ -164,6 +164,7 @@ spec: value: $(tasks.clone-repository.results.commit) workspaces: - name: git-auth + - name: github-auth tasks: - name: post-metric-start taskRef: *post-bigquery-metrics-ref @@ -291,8 +292,10 @@ spec: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - - name: github-auth - workspace: git-auth + - name: basic-auth + workspace: git-auth + - name: github-auth + workspace: github-auth taskRef: name: post-pr-comment-fbc-build when: diff --git a/.tekton/post-pr-comment-fbc-build.yaml b/.tekton/post-pr-comment-fbc-build.yaml index a6ccca99..eaea8b2b 100644 --- a/.tekton/post-pr-comment-fbc-build.yaml +++ b/.tekton/post-pr-comment-fbc-build.yaml @@ -39,4 +39,4 @@ spec: data = {"body": f"Build image URL: {image_url}"} resp = requests.post(url, headers=headers, json=data) print("Status:", resp.status_code) - print("Response:", resp.text) \ No newline at end of file + print("Response:", resp.text)