ROX-30730: Scan Konflux images with GHA #17985
Conversation
|
Skipping CI for Draft Pull Request. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
Images are ready for the commit at 051a5a5. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #17985 +/- ##
==========================================
- Coverage 48.94% 48.93% -0.01%
==========================================
Files 2637 2637
Lines 198156 198156
==========================================
- Hits 96987 96975 -12
- Misses 93767 93775 +8
- Partials 7402 7406 +4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
tommartensen
changed the title
…x/stackrox into tm/check-konflux-vulnerabilities
There was a problem hiding this comment.
Hey there - I've reviewed your changes and found some issues that need to be addressed.
- The new
pushtrigger doesn’t provideinputs.version, so the workflow (includingrun-nameand the composite action input) will likely see an empty or undefined version on tag pushes; consider derivingversionfromgithub.ref_name(forpush) and usinginputs.versiononly forworkflow_dispatch. - Both upstream and Konflux jobs upload artifacts with the same
scan-result-${{ matrix.image }}naming pattern, which can cause artifact name collisions/merging and make it unclear which scan corresponds to which build; consider including the source (e.g.-upstream/-konfluxor the tag) in the artifact name. - The composite action is referenced by a feature branch (
@tm/ROX-image-vuln-check); once the action is finalized, pin it to a stable tag or commit SHA to avoid unexpected behavior changes in this workflow.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `push` trigger doesn’t provide `inputs.version`, so the workflow (including `run-name` and the composite action input) will likely see an empty or undefined version on tag pushes; consider deriving `version` from `github.ref_name` (for `push`) and using `inputs.version` only for `workflow_dispatch`.
- Both upstream and Konflux jobs upload artifacts with the same `scan-result-${{ matrix.image }}` naming pattern, which can cause artifact name collisions/merging and make it unclear which scan corresponds to which build; consider including the source (e.g. `-upstream` / `-konflux` or the tag) in the artifact name.
- The composite action is referenced by a feature branch (`@tm/ROX-image-vuln-check`); once the action is finalized, pin it to a stable tag or commit SHA to avoid unexpected behavior changes in this workflow.
## Individual Comments
### Comment 1
<location> `.github/workflows/check-image-vulnerabilities.yml:13` </location>
<code_context>
+ push:
+ tags: ['*']
run-name: ${{ format('Check image vulnerabilities for {0}', inputs.version) }}
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `inputs.version` for push tag runs will break because `workflow_dispatch.inputs` are not defined on `push` events.
With the new `push: tags: ['*']` trigger, this workflow now runs in contexts where `inputs.version` is undefined. Using `inputs.version` in `run-name` and job/action inputs will fail on tag pushes. Either restrict this workflow to `workflow_dispatch` only, derive the version from the tag (e.g. `github.ref_name`) for `push` runs, or conditionally use `inputs.version` only when `github.event_name == 'workflow_dispatch'`.
</issue_to_address>
### Comment 2
<location> `.github/workflows/check-image-vulnerabilities.yml:64-70` </location>
<code_context>
- - name: Install roxctl
- uses: stackrox/roxctl-installer-action@v1
+ - name: Upload scan result artifact
+ if: always()
+ uses: actions/upload-artifact@v4
with:
- central-endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }}
- central-token: ${{ env.ROX_API_TOKEN }}
+ name: scan-result-${{ matrix.image }}
+ path: scan-result.json
+ retention-days: 30
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Uploading `scan-result.json` unconditionally may fail if the check action exits before creating the file.
Because this step runs even when `Check image vulnerabilities` fails, it can error if `scan-result.json` was never created, obscuring the original failure. Please either condition this step on the prior step having succeeded, or add a guard like `if: always() && hashFiles('scan-result.json') != ''` or `continue-on-error: true` so missing artifacts don’t cause a secondary failure.
```suggestion
- name: Upload scan result artifact
if: always() && hashFiles('scan-result.json') != ''
uses: actions/upload-artifact@v4
with:
name: scan-result-${{ matrix.image }}
path: scan-result.json
retention-days: 30
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
| wait-for-images: | ||
| description: Shall workflow wait for images? | ||
| required: false | ||
| default: true | ||
| type: boolean |
There was a problem hiding this comment.
WDYT about directly exposing the duration to wait for images with the default value of 3h10m?
This is bigger than required for upstream but this puts the running person more in control of what happens and what duration to expect.
As for parsing values similar to Go's ParseDuration, this SO answer gives a slick 1-line approach to that. Works for me on Linux.
Folks who'd like this to fail fast, would pass 0.
| id: determine-image-tag | ||
| run: | | ||
| set -euo pipefail | ||
| tag="${{ inputs.version || github.ref_name }}" |
There was a problem hiding this comment.
Hm. This is suspicious or I'm missing it. inputs.version is a required parameter, why fallback to github.ref_name?
There was a problem hiding this comment.
The workflow can run in two ways (https://github.com/stackrox/stackrox/pull/17985/files#diff-d47125860e6f9559d168f8ecb1d5bb8bd10acbf8d9e6258a6eca46d648862b46R2-R15)
- Manually dispatched: The
inputs.versionis a required parameter and will be used astag - On
tagpush: The inputs are empty (proof is the empty array here: https://github.com/stackrox/stackrox/actions/runs/20996766698/job/60355486373), hence the workflow engine will fall back togithub.ref_name(the tag).
I have also updated this for the wait-limit and improved the debug output in run-parameters job.
There was a problem hiding this comment.
Here is a manual run: https://github.com/stackrox/stackrox/actions/runs/21026662260 (and one without waiting: https://github.com/stackrox/stackrox/actions/runs/21026893826)
Here is a tagged run with the fallbacks: https://github.com/stackrox/stackrox/actions/runs/21026874703
| - name: Determine image tag from input version | ||
| id: determine-image-tag |
There was a problem hiding this comment.
I feel, these steps should be called something like "Sanitize nightly version". Would you be ok with that?
It's unfortunate that nightly tags are such a mess. Konflux contributed to that somewhat. We should streamline that as opposed to working around but that work is involved and not loved by anyone. Creating a JIRA and placing in my personal backlog is the best I can offer.
There was a problem hiding this comment.
Creating a JIRA and placing in my personal backlog is the best I can offer.
That would be good.
| image: | ||
| [ | ||
| "release-central-db", | ||
| "release-collector", | ||
| "release-main", | ||
| "release-roxctl", | ||
| "release-scanner", | ||
| "release-scanner-db", | ||
| "release-scanner-db-slim", | ||
| "release-scanner-slim", | ||
| "release-scanner-v4", | ||
| "release-scanner-v4-db", | ||
| "release-operator", | ||
| ] |
There was a problem hiding this comment.
Looking at this again, I wonder would we benefit from introducing another process/checklist (i.e. in Confluence) Steps for adding new container to the product?
I've mixed feelings. On one hand, it's good to have a list of things not to forget. On the other, things are always in flux and there's a risk that the list will be treated too literally which creates more overhead for us to answer questions than benefits.
There was a problem hiding this comment.
There is already https://spaces.redhat.com/spaces/StackRox/pages/407312060/How+to+everything+Konflux+for+RHACS#HowtoeverythingKonfluxforRHACS-Howtoaddanewcomponent - wdyt about adding it here?
This comment was marked as off-topic.
This comment was marked as off-topic.
msugakov
left a comment
msugakov
left a comment
There was a problem hiding this comment.
Quick cosmetic thoughts. Will check your replies on more important stuff later.
| # Extract version part before -nightly- and replace patch version with 0 | ||
| # Example: 0.1.x-nightly-20260114 -> 0.1.0-nightly-20260114 | ||
| version_part="${tag%%-nightly-*}" | ||
| rest_part="${tag#*-nightly-}" | ||
| version_part=$(echo "$version_part" | sed -E 's/([0-9]+\.[0-9]+\.)x/\10/') | ||
| tag="${version_part}-nightly-${rest_part}" |
There was a problem hiding this comment.
As I read into this more closely, sorry - I'm just getting to my capacity, I recognize the pattern. We have a one-line solution for it that we carried over the years.
Line 8 in d690185
| # Extract version part before -nightly- and replace patch version with 0 | |
| # Example: 0.1.x-nightly-20260114 -> 0.1.0-nightly-20260114 | |
| version_part="${tag%%-nightly-*}" | |
| rest_part="${tag#*-nightly-}" | |
| version_part=$(echo "$version_part" | sed -E 's/([0-9]+\.[0-9]+\.)x/\10/') | |
| tag="${version_part}-nightly-${rest_part}" | |
| # Replace '.x' in patch version with '.0'. Example: 0.1.x-nightly-20260114 -> 0.1.0-nightly-20260114 | |
| tag="$(echo "${tag}" | sed -E 's@^(([[:digit:]]+\.)+)x(-)?@\10\3@g')" |
If you agree, please also change the second sanitize-nightly-version.
There was a problem hiding this comment.
That would be the same as doing
BUILD_TAG=1.2.x-nightly-202014 make -C operator tag
I would prefer to stick use the function instead of copying the implementation and creating another workaround case.
| parse-wait-for-images-limit: | ||
| name: Parse wait-for-images-limit | ||
| runs-on: ubuntu-latest | ||
| needs: [run-parameters] | ||
| outputs: | ||
| wait-limit: ${{ steps.parse-wait-limit.outputs.wait-limit }} | ||
| steps: |
There was a problem hiding this comment.
WDYT about making parse-wait-limit step just part of Run parameters job? Both things are kind-of "set up", and this way it's less boilerplate declarations.
| parse-wait-for-images-limit: | |
| name: Parse wait-for-images-limit | |
| runs-on: ubuntu-latest | |
| needs: [run-parameters] | |
| outputs: | |
| wait-limit: ${{ steps.parse-wait-limit.outputs.wait-limit }} | |
| steps: |
Not insisting.
Co-authored-by: Misha Sugakov <[email protected]>
3 participants
Description
Companion to stackrox/actions#72.
TODO
User-facing documentation
Testing and quality
Automated testing
Change to GHA, manual testing required, see below.
How I validated my change