Skip to content

Add index audit Github workflow#19248

Open
aThorp96 wants to merge 1 commit into
openshift-pipelines:nextfrom
aThorp96:audit-bundle
Open

Add index audit Github workflow#19248
aThorp96 wants to merge 1 commit into
openshift-pipelines:nextfrom
aThorp96:audit-bundle

Conversation

@aThorp96

@aThorp96 aThorp96 commented Mar 25, 2026

Copy link
Copy Markdown
Member

This commit adds a workflow which audits the project.yaml and CSV to validate that all images exist and that all images which share a source repository were built off of the same revision.

This check is useful to detect when an image in project.yaml expires, or when a component repository's Konflux CI fails to build/nudge all of the component's images leaving some images out of date.

If this is approved and merged, I will also copy it to the main branch and all release branches, and update hack automation to ensure it's propagated to new release branches automatically

@openshift-ci

openshift-ci Bot commented Mar 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aThorp96
Once this PR has been reviewed and has the lgtm label, please assign savitaashture for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aThorp96 aThorp96 force-pushed the audit-bundle branch 3 times, most recently from e6dac66 to c091e5d Compare March 25, 2026 18:06
@pramodbindal

Copy link
Copy Markdown
Member

@aThorp96
When doing stage/production release project.yaml is updated before images are pushed to redhat registry.
That scenario this workflow will fail

@pramodbindal

Copy link
Copy Markdown
Member

instead of this workflow can we do something in konflux so where we can make sure that project.yaml is updated with all images from latest push snapshot.

@aThorp96

Copy link
Copy Markdown
Member Author

Thanks for the review @pramodbindal. I had considered putting this in Konflux but I wasn't sure exactly where. If there is a good place to put it in the Konflux lets do that. Maybe it could even just be a standalone pipelinerun? Fast feedback would be helpful I think so a release captain can see early when the an image is expired or a component didn't get nudged

Regarding the race condition, that makes sense to me. If the images are red-hat-private as well this automation will fail to pull them. For nightlies I don't think this is a concern.

This commit adds a workflow which audits the project.yaml and CSV to
validate that all images exist and that all images which share a source
repository were built off of the same revision
Copilot AI review requested due to automatic review settings June 3, 2026 11:56

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a GitHub Actions workflow to audit project.yaml and the operator CSV for (a) referenced image existence and (b) consistency of source revisions across images that originate from the same source repository, helping detect expired/missing images and partial rebuilds in component repos.

Changes:

  • Add a new GitHub Actions workflow to run the index/image audit on PRs and pushes to next and release-* branches.
  • Add a Bash audit script that enumerates images from project.yaml and the CSV, inspects them via skopeo, and reports missing images / revision mismatches via annotations and the step summary.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/audit-index.yaml Adds the CI workflow entrypoint that checks out the repo and runs the audit script.
.github/audit-project.sh Implements the audit logic: collect image references, inspect images, and report missing images or inconsistent source revisions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +25 to +32
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Collect images per repo
run: .github/audit-project.sh
Comment thread .github/audit-project.sh
Comment on lines +19 to +43
echo "Checking ${image}"
if [[ "${image}" != *"openshift-pipeline"* ]] && [[ "${image}" != *"tekton"* ]]; then
echo "Skipping ${image}, not an openshift pipelines image"
continue
fi

image_data=$(skopeo inspect --config "docker://${image}" || echo '{}')
if [[ "${image_data}" == '{}' ]]; then
grep -n "${image}" "${source_file}" | cut -d ':' -f1| while read -r line_no; do
echo "::error file=${source_file},line=${line_no},title=Missing image in ${context}::Could not fetch ${image}"
done

echo "- Image ${image} not found" >> "${errors}"
continue
fi
labels=$(echo "${image_data}" | jq '.config.Labels')
repository=$(echo -n "${labels}" | jq -r '.["io.openshift.build.source-location"]')
revision=$(echo -n "${labels}" | jq -r '.["io.openshift.build.commit.id"]')
if [[ -z "${repository}" ]]; then
echo "Unable to find source location for ${image}"
else
repository=$(echo "${repository}" | cut -d '/' -f 4- | tr '/' '_')
fi
echo "${revision}" >> "repos/${repository}"
echo "${image}" >> "images/${revision}"
Comment thread .github/audit-project.sh
Comment on lines +49 to +51
pushd repos
trap "popd" RETURN
for repo in *; do
Comment thread .github/audit-project.sh
Comment on lines +61 to +64
echo "${all_images}" | while read -r image; do
grep -n "${image}" "${source_file}" | cut -d ':' -f1 | while read -r line_no; do
echo "::warning file=${source_file},line=${line_no},title=Inconsistent source commits::repository: ${repo}, revision: ${revision}, images reference revisions: ${all_revisions_oneline}"
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants