Skip to content

fix(ci): retarget Konflux deploy-tag back to hp-fleet-gitops#784

Merged
aredenba-rh merged 1 commit into
mainfrom
fix/deploy-tag-hp-fleet-gitops
Jul 2, 2026
Merged

fix(ci): retarget Konflux deploy-tag back to hp-fleet-gitops#784
aredenba-rh merged 1 commit into
mainfrom
fix/deploy-tag-hp-fleet-gitops

Conversation

@aredenba-rh

Copy link
Copy Markdown
Collaborator

Summary

Requires

  • The kartograph-hp-fleet-gitops-auth secret (GitHub PAT with repo + pull_request scope on openshift-online/hp-fleet-gitops) must exist in the kartograph-tenant Konflux namespace — same requirement as before fix(ci): retarget Konflux deploy-tag to fleet-apps on GitLab #780, when this last worked. If it's missing or the PAT is stale/under-scoped, update-deploy-tag will fail again (previously seen as a 403 on push).

Test plan

  • python3 -c "import yaml; ..." syntax-validated all 4 modified .tekton/*-push.yaml files
  • Merge and confirm the next on-push build's update-deploy-tag task succeeds and opens a PR against hp-fleet-gitops

Made with Cursor

Reverts commit 2d76a14 (fix(ci): retarget Konflux deploy-tag to
fleet-apps on GitLab, #780). That change was correct at the time
(2026-06-30): ArgoCD read fleet-apps then. hp-gitops-tenants PR #9
(2026-07-01) repointed ArgoCD's kartograph-stage source at
hp-fleet-gitops (GitHub) instead, so the push pipelines' deploy-tag
finally task needs to target hp-fleet-gitops again — as it did before
#780, via the update-and-push + create-pull-request tasks (plain `git
push` + a `curl`-based GitHub PR creation step using the same `.netrc`
staged for git auth, since GitHub has no GitLab-style
`git push -o merge_request.*` equivalent).

Confirmed needed: both kartograph-api-on-push and
kartograph-dev-ui-on-push failed at update-deploy-tag on the first
push to main after merging #782, because it was still trying (and
failing) to push to the GitLab fleet-apps repo.

Requires the kartograph-hp-fleet-gitops-auth secret (GitHub PAT with
repo + pull_request scope) to exist in the kartograph-tenant Konflux
namespace — same requirement as before #780, when this last worked.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Deployment updates now create pull requests in GitHub and can enable auto-merge when available.
    • Pipelines now use the new GitOps access setup for deployment publishing.
  • Bug Fixes

    • Improved deployment update flows across multiple push pipelines.
    • Updated validation and error messages to reflect the new deployment credentials.
  • Documentation

    • Refreshed the example secret guidance for the new deployment workflow.
    • Removed outdated example secret content tied to the previous setup.

Walkthrough

Five Tekton PipelineRun manifests migrate their update-deploy-tag finally task from the fleet-apps-auth workspace/secret to hp-fleet-gitops-auth, updating error messages, clone source from a GitLab fleet-apps repo to the GitHub openshift-online/hp-fleet-gitops repo, and workspace secret mappings. The GitLab merge-request push flow is replaced with a plain git push origin, deploy metadata written to /tekton/run, and a new create-pull-request step using GitHub REST/GraphQL to open a PR and enable auto-merge. The old kartograph-fleet-apps-auth.secret.example.yaml file is deleted; the kartograph-hp-fleet-gitops-auth.secret.example.yaml header comment is updated.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
    participant Pipeline as update-deploy-tag Task
    participant HpFleetGitops as hp-fleet-gitops repo (GitHub)
    participant TektonRun as /tekton/run metadata
    participant GitHubREST as GitHub REST API
    participant GitHubGraphQL as GitHub GraphQL API

    Pipeline->>HpFleetGitops: git clone (shallow, main)
    Pipeline->>HpFleetGitops: update kustomization.yaml tag, commit, push branch to origin
    Pipeline->>TektonRun: write deploy-branch, commit-sha, deploy-component, short-sha
    Pipeline->>TektonRun: read deploy metadata (create-pull-request step)
    Pipeline->>GitHubREST: create pull request (using netrc credentials)
    GitHubREST-->>Pipeline: PR node id
    alt PR node id present
        Pipeline->>GitHubGraphQL: enablePullRequestAutoMerge mutation
        GitHubGraphQL-->>Pipeline: auto-merge enabled
    end
Loading

Related PRs: No related PR references provided in the summarized changes.

Suggested labels: ci/cd, security, tekton, credentials-migration

Suggested reviewers: No reviewer information provided in the summarized changes.

CWE-798 (Use of Hard-coded Credentials) is not directly triggered here, but note: five manifests each independently reference the kartograph-hp-fleet-gitops-auth secret by name inline in shell error strings — verify this secret is scoped least-privilege (PR-creation + push only) since it replaces a GitLab PAT-based credential (REPLACE_WITH_GITLAB_PAT placeholder previously present in the deleted example) with a GitHub PAT/App token used across git push, REST PR creation, and GraphQL auto-merge mutation. Confirm the GraphQL auto-merge call (CWE-284, Improper Access Control) cannot be triggered on repos/branches without required review gates — auto-merge enablement bypassing branch protection is a known misconfiguration vector. Also confirm netrc/.git-credentials are not persisted to logs or task results in the /tekton/run metadata write step (CWE-532, Insertion of Sensitive Information into Log File) — writing commit-sha/branch/component to shared workspace files is fine, but verify no credential material leaks into that path. No poem — this isn't a demo.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: retargeting Konflux deploy-tag back to hp-fleet-gitops.
Description check ✅ Passed The description directly describes the same Konflux deploy-tag retargeting and PR flow changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No CWE-532 log leakage: modified logs only mention static secret names, branch/PR metadata, and netrc absence; no token/password/credential values are interpolated.
No Hardcoded Secrets ✅ Passed No hardcoded credentials found (CWE-798/CWE-321); changed Tekton files only wire secret names and placeholder example values like REPLACE_WITH_GITHUB_PAT.
No Weak Cryptography ✅ Passed Touched Tekton YAML only adds git/curl PR flow; no MD5/DES/RC4, SHA1-for-security, ECB, custom crypto, or secret/HMAC comparisons found.
No Injection Vectors ✅ Passed No CWE-89/78/79/502 sinks found; modified Tekton scripts use hardcoded GitHub targets and hex-validated COMMIT_SHA.
No Privileged Containers ✅ Passed No privileged/root indicators in modified manifests: no privileged=true, host* flags, SYS_ADMIN, allowPrivilegeEscalation, or explicit root (CWE-269/CWE-732).
No Pii Or Sensitive Data In Logs ✅ Passed No PII/raw response bodies or creds are logged; only branch/PR status messages appear. CWE-532 not observed.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/deploy-tag-hp-fleet-gitops
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/deploy-tag-hp-fleet-gitops

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/kartograph-agent-runtime-push.yaml:
- Around line 618-620: The finally task is referencing the hp-fleet-gitops-auth
workspace, but the pipeline definition never declares it in
pipelineSpec.workspaces. Update the PipelineSpec to add a workspace entry for
hp-fleet-gitops-auth so the final task can bind it correctly; check the
workspace declarations used by finally.update-deploy-tag and any related
task/workspace names to keep them consistent.
- Around line 660-662: The PR creation flow is using credentials that only cover
github.com, so the `curl --netrc` call against the GitHub API can fail
authentication and still be masked by `|| true`, leading to a false “PR created:
none” result. Update the auth example and the credential check logic in the
shell block around the GitHub API request so `machine api.github.com` is
supported, and remove the failure masking so the script stops immediately when
PR creation fails instead of continuing with an empty result.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 55d84984-3284-46ce-8d2f-b51bdaec38bc

📥 Commits

Reviewing files that changed from the base of the PR and between ee1bd5a and b100c39.

📒 Files selected for processing (6)
  • .tekton/kartograph-agent-runtime-push.yaml
  • .tekton/kartograph-api-push.yaml
  • .tekton/kartograph-dev-ui-push.yaml
  • .tekton/kartograph-fleet-apps-auth.secret.example.yaml
  • .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml
  • .tekton/kartograph-openshell-gateway-push.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)
💤 Files with no reviewable changes (1)
  • .tekton/kartograph-fleet-apps-auth.secret.example.yaml

Comment on lines +618 to +620
workspace: hp-fleet-gitops-auth
- name: netrc
workspace: fleet-apps-auth
workspace: hp-fleet-gitops-auth

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -eu
for f in .tekton/kartograph-*-push.yaml; do
  echo "== $f =="
  rg -n 'workspace: hp-fleet-gitops-auth|name: hp-fleet-gitops-auth|^[[:space:]]{4}workspaces:|taskRunTemplate:' "$f"
done

Repository: openshift-hyperfleet/kartograph

Length of output: 1056


🏁 Script executed:

#!/bin/bash
set -eu

for f in .tekton/kartograph-agent-runtime-push.yaml .tekton/kartograph-api-push.yaml .tekton/kartograph-dev-ui-push.yaml .tekton/kartograph-openshell-gateway-push.yaml; do
  echo "===== $f ====="
  sed -n '760,795p' "$f"
  echo
done

Repository: openshift-hyperfleet/kartograph

Length of output: 3766


🏁 Script executed (no clone):

#!/bin/bash
set -eu
python3 - <<'PY'
print("Tekton workspace binding semantics need checking if file context is ambiguous.")
PY

Length of output: 204


Declare hp-fleet-gitops-auth in pipelineSpec.workspaces. The finally.update-deploy-tag task references a workspace that the PipelineSpec never declares, so Tekton can reject the PipelineRun before it starts (CWE-20).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-agent-runtime-push.yaml around lines 618 - 620, The
finally task is referencing the hp-fleet-gitops-auth workspace, but the pipeline
definition never declares it in pipelineSpec.workspaces. Update the PipelineSpec
to add a workspace entry for hp-fleet-gitops-auth so the final task can bind it
correctly; check the workspace declarations used by finally.update-deploy-tag
and any related task/workspace names to keep them consistent.

Comment on lines 660 to +662
if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then
echo "ERROR: Secret kartograph-fleet-apps-auth is missing or empty."
echo "Apply .tekton/kartograph-fleet-apps-auth.secret.example.yaml in kartograph-tenant."
echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty."
echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -eu
fd -p '.tekton' -e yaml -e yml \
  | xargs rg -n 'machine api\.github\.com|machine github\.com|https://api\.github\.com|--netrc|PR_RESPONSE=.*curl'

Repository: openshift-hyperfleet/kartograph

Length of output: 2930


🏁 Script executed:

#!/bin/bash
set -eu

echo '--- target snippet ---'
sed -n '630,790p' .tekton/kartograph-agent-runtime-push.yaml

echo '--- auth secret references ---'
rg -n 'kartograph-hp-fleet-gitops-auth|machine api\.github\.com|machine github\.com|\.netrc|\.git-credentials|api\.github\.com/repos/.*/pulls|PR_RESPONSE=.*curl|PR created:' .tekton -S

echo '--- example secret files ---'
fd -a 'kartograph-hp-fleet-gitops-auth.secret.example.yaml|*.netrc*|*gitops*auth*' .

Repository: openshift-hyperfleet/kartograph

Length of output: 15136


Add machine api.github.com and fail closed on PR creation
.tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml only shows machine github.com, so curl --netrc https://api.github.com/... will not authenticate. The || true then masks the failure and can emit PR created: none instead of stopping. CWE-287, CWE-390.

Proposed hardening
-                PR_RESPONSE=$(curl -sS --netrc \
+                PR_RESPONSE=$(curl -fsS --netrc \
                   -H "Content-Type: application/json" \
                   -d @"$PAYLOAD" \
-                  "https://api.github.com/repos/${REPO}/pulls") || true
+                  "https://api.github.com/repos/${REPO}/pulls")
                 rm -f "$PAYLOAD"

                 PR_URL=$(echo "$PR_RESPONSE" | grep -o '"html_url":"[^"]*"' | head -1 | cut -d'"' -f4)
-                echo "PR created: ${PR_URL:-none}"
-
                 PR_NODE_ID=$(echo "$PR_RESPONSE" | grep -o '"node_id":"[^"]*"' | head -1 | cut -d'"' -f4)
+                if [ -z "$PR_URL" ] || [ -z "$PR_NODE_ID" ]; then
+                  echo "ERROR: GitHub pull request response did not include html_url/node_id"
+                  echo "$PR_RESPONSE"
+                  exit 1
+                fi
+                echo "PR created: $PR_URL"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-agent-runtime-push.yaml around lines 660 - 662, The PR
creation flow is using credentials that only cover github.com, so the `curl
--netrc` call against the GitHub API can fail authentication and still be masked
by `|| true`, leading to a false “PR created: none” result. Update the auth
example and the credential check logic in the shell block around the GitHub API
request so `machine api.github.com` is supported, and remove the failure masking
so the script stops immediately when PR creation fails instead of continuing
with an empty result.

@aredenba-rh aredenba-rh merged commit 9d793be into main Jul 2, 2026
9 checks passed
@aredenba-rh aredenba-rh deleted the fix/deploy-tag-hp-fleet-gitops branch July 2, 2026 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant