fix(ci): retarget Konflux deploy-tag back to hp-fleet-gitops#784
Conversation
Reverts commit 2d76a14 (fix(ci): retarget Konflux deploy-tag to fleet-apps on GitLab, #780). That change was correct at the time (2026-06-30): ArgoCD read fleet-apps then. hp-gitops-tenants PR #9 (2026-07-01) repointed ArgoCD's kartograph-stage source at hp-fleet-gitops (GitHub) instead, so the push pipelines' deploy-tag finally task needs to target hp-fleet-gitops again — as it did before #780, via the update-and-push + create-pull-request tasks (plain `git push` + a `curl`-based GitHub PR creation step using the same `.netrc` staged for git auth, since GitHub has no GitLab-style `git push -o merge_request.*` equivalent). Confirmed needed: both kartograph-api-on-push and kartograph-dev-ui-on-push failed at update-deploy-tag on the first push to main after merging #782, because it was still trying (and failing) to push to the GitLab fleet-apps repo. Requires the kartograph-hp-fleet-gitops-auth secret (GitHub PAT with repo + pull_request scope) to exist in the kartograph-tenant Konflux namespace — same requirement as before #780, when this last worked. Co-authored-by: Cursor <cursoragent@cursor.com>
📝 WalkthroughSummary by CodeRabbit
WalkthroughFive Tekton PipelineRun manifests migrate their Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Pipeline as update-deploy-tag Task
participant HpFleetGitops as hp-fleet-gitops repo (GitHub)
participant TektonRun as /tekton/run metadata
participant GitHubREST as GitHub REST API
participant GitHubGraphQL as GitHub GraphQL API
Pipeline->>HpFleetGitops: git clone (shallow, main)
Pipeline->>HpFleetGitops: update kustomization.yaml tag, commit, push branch to origin
Pipeline->>TektonRun: write deploy-branch, commit-sha, deploy-component, short-sha
Pipeline->>TektonRun: read deploy metadata (create-pull-request step)
Pipeline->>GitHubREST: create pull request (using netrc credentials)
GitHubREST-->>Pipeline: PR node id
alt PR node id present
Pipeline->>GitHubGraphQL: enablePullRequestAutoMerge mutation
GitHubGraphQL-->>Pipeline: auto-merge enabled
end
Related PRs: No related PR references provided in the summarized changes. Suggested labels: ci/cd, security, tekton, credentials-migration Suggested reviewers: No reviewer information provided in the summarized changes. CWE-798 (Use of Hard-coded Credentials) is not directly triggered here, but note: five manifests each independently reference the 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.tekton/kartograph-agent-runtime-push.yaml:
- Around line 618-620: The finally task is referencing the hp-fleet-gitops-auth
workspace, but the pipeline definition never declares it in
pipelineSpec.workspaces. Update the PipelineSpec to add a workspace entry for
hp-fleet-gitops-auth so the final task can bind it correctly; check the
workspace declarations used by finally.update-deploy-tag and any related
task/workspace names to keep them consistent.
- Around line 660-662: The PR creation flow is using credentials that only cover
github.com, so the `curl --netrc` call against the GitHub API can fail
authentication and still be masked by `|| true`, leading to a false “PR created:
none” result. Update the auth example and the credential check logic in the
shell block around the GitHub API request so `machine api.github.com` is
supported, and remove the failure masking so the script stops immediately when
PR creation fails instead of continuing with an empty result.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 55d84984-3284-46ce-8d2f-b51bdaec38bc
📒 Files selected for processing (6)
.tekton/kartograph-agent-runtime-push.yaml.tekton/kartograph-api-push.yaml.tekton/kartograph-dev-ui-push.yaml.tekton/kartograph-fleet-apps-auth.secret.example.yaml.tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml.tekton/kartograph-openshell-gateway-push.yaml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual)openshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual)openshift-hyperfleet/hyperfleet-broker(manual)
💤 Files with no reviewable changes (1)
- .tekton/kartograph-fleet-apps-auth.secret.example.yaml
| workspace: hp-fleet-gitops-auth | ||
| - name: netrc | ||
| workspace: fleet-apps-auth | ||
| workspace: hp-fleet-gitops-auth |
There was a problem hiding this comment.
🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -eu
for f in .tekton/kartograph-*-push.yaml; do
echo "== $f =="
rg -n 'workspace: hp-fleet-gitops-auth|name: hp-fleet-gitops-auth|^[[:space:]]{4}workspaces:|taskRunTemplate:' "$f"
doneRepository: openshift-hyperfleet/kartograph
Length of output: 1056
🏁 Script executed:
#!/bin/bash
set -eu
for f in .tekton/kartograph-agent-runtime-push.yaml .tekton/kartograph-api-push.yaml .tekton/kartograph-dev-ui-push.yaml .tekton/kartograph-openshell-gateway-push.yaml; do
echo "===== $f ====="
sed -n '760,795p' "$f"
echo
doneRepository: openshift-hyperfleet/kartograph
Length of output: 3766
🏁 Script executed (no clone):
#!/bin/bash
set -eu
python3 - <<'PY'
print("Tekton workspace binding semantics need checking if file context is ambiguous.")
PY
Length of output: 204
Declare hp-fleet-gitops-auth in pipelineSpec.workspaces. The finally.update-deploy-tag task references a workspace that the PipelineSpec never declares, so Tekton can reject the PipelineRun before it starts (CWE-20).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/kartograph-agent-runtime-push.yaml around lines 618 - 620, The
finally task is referencing the hp-fleet-gitops-auth workspace, but the pipeline
definition never declares it in pipelineSpec.workspaces. Update the PipelineSpec
to add a workspace entry for hp-fleet-gitops-auth so the final task can bind it
correctly; check the workspace declarations used by finally.update-deploy-tag
and any related task/workspace names to keep them consistent.
| if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then | ||
| echo "ERROR: Secret kartograph-fleet-apps-auth is missing or empty." | ||
| echo "Apply .tekton/kartograph-fleet-apps-auth.secret.example.yaml in kartograph-tenant." | ||
| echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty." | ||
| echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant." |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -eu
fd -p '.tekton' -e yaml -e yml \
| xargs rg -n 'machine api\.github\.com|machine github\.com|https://api\.github\.com|--netrc|PR_RESPONSE=.*curl'Repository: openshift-hyperfleet/kartograph
Length of output: 2930
🏁 Script executed:
#!/bin/bash
set -eu
echo '--- target snippet ---'
sed -n '630,790p' .tekton/kartograph-agent-runtime-push.yaml
echo '--- auth secret references ---'
rg -n 'kartograph-hp-fleet-gitops-auth|machine api\.github\.com|machine github\.com|\.netrc|\.git-credentials|api\.github\.com/repos/.*/pulls|PR_RESPONSE=.*curl|PR created:' .tekton -S
echo '--- example secret files ---'
fd -a 'kartograph-hp-fleet-gitops-auth.secret.example.yaml|*.netrc*|*gitops*auth*' .Repository: openshift-hyperfleet/kartograph
Length of output: 15136
Add machine api.github.com and fail closed on PR creation
.tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml only shows machine github.com, so curl --netrc https://api.github.com/... will not authenticate. The || true then masks the failure and can emit PR created: none instead of stopping. CWE-287, CWE-390.
Proposed hardening
- PR_RESPONSE=$(curl -sS --netrc \
+ PR_RESPONSE=$(curl -fsS --netrc \
-H "Content-Type: application/json" \
-d @"$PAYLOAD" \
- "https://api.github.com/repos/${REPO}/pulls") || true
+ "https://api.github.com/repos/${REPO}/pulls")
rm -f "$PAYLOAD"
PR_URL=$(echo "$PR_RESPONSE" | grep -o '"html_url":"[^"]*"' | head -1 | cut -d'"' -f4)
- echo "PR created: ${PR_URL:-none}"
-
PR_NODE_ID=$(echo "$PR_RESPONSE" | grep -o '"node_id":"[^"]*"' | head -1 | cut -d'"' -f4)
+ if [ -z "$PR_URL" ] || [ -z "$PR_NODE_ID" ]; then
+ echo "ERROR: GitHub pull request response did not include html_url/node_id"
+ echo "$PR_RESPONSE"
+ exit 1
+ fi
+ echo "PR created: $PR_URL"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/kartograph-agent-runtime-push.yaml around lines 660 - 662, The PR
creation flow is using credentials that only cover github.com, so the `curl
--netrc` call against the GitHub API can fail authentication and still be masked
by `|| true`, leading to a false “PR created: none” result. Update the auth
example and the credential check logic in the shell block around the GitHub API
request so `machine api.github.com` is supported, and remove the failure masking
so the script stops immediately when PR creation fails instead of continuing
with an empty result.
Summary
update-deploy-tagfinally task fromhp-fleet-gitops(GitHub) tofleet-apps(GitLab). That was correct on 2026-06-30 (ArgoCD read fleet-apps then), but hp-gitops-tenants PR #9 (2026-07-01) repointed ArgoCD'skartograph-stagesource athp-fleet-gitopsinstead, so deploy-tag needs to go there again.kartograph-api-on-pushandkartograph-dev-ui-on-pushfailed atupdate-deploy-tagon the first push tomainafter merging fix(deploy): register openshell gateway CLI and sync GitOps docs to hp-fleet-gitops #782 (commitc5d8800), because the task was still trying (and failing) to push to the GitLabfleet-appsrepo.git push+ a separatecurl-basedcreate-pull-requesttask that opens the PR againsthp-fleet-gitopsvia the GitHub REST API (using the same.netrcstaged for git auth) and enables auto-merge, since GitHub has no equivalent to GitLab'sgit push -o merge_request.*push options.Requires
kartograph-hp-fleet-gitops-authsecret (GitHub PAT withrepo+pull_requestscope onopenshift-online/hp-fleet-gitops) must exist in thekartograph-tenantKonflux namespace — same requirement as before fix(ci): retarget Konflux deploy-tag to fleet-apps on GitLab #780, when this last worked. If it's missing or the PAT is stale/under-scoped,update-deploy-tagwill fail again (previously seen as a 403 on push).Test plan
python3 -c "import yaml; ..."syntax-validated all 4 modified.tekton/*-push.yamlfileson-pushbuild'supdate-deploy-tagtask succeeds and opens a PR againsthp-fleet-gitopsMade with Cursor